gmane.linux.debian.user.announce

Phillip Hofmeister | 8 Jul 15:33

Re: Debian Security Support in Place

On Fri, 08 Jul 2005 at 01:58:40AM -0400, Martin Schulze wrote:
> The security team will continue to support Debian GNU/Linux 3.0 alias
> woody until May 2006, or if the security support for the next release,
> codenamed etch, starts, whatever happens first.

Now I LOVE Debian a lot.  It is my favorite distro, and I hope this
isn't seen as a flame.  But, two Debian releases in one year?  That's
kind of funny <grins>.

--

-- 
Phillip Hofmeister

Horst Pflugstaedt | 8 Jul 17:05

Re: Debian Security Support in Place

On Fri, Jul 08, 2005 at 09:33:29AM -0400, Phillip Hofmeister wrote:
> On Fri, 08 Jul 2005 at 01:58:40AM -0400, Martin Schulze wrote:
> > The security team will continue to support Debian GNU/Linux 3.0 alias
> > woody until May 2006, or if the security support for the next release,
> > codenamed etch, starts, whatever happens first.
> 
> 
> Now I LOVE Debian a lot.  It is my favorite distro, and I hope this
> isn't seen as a flame.  But, two Debian releases in one year?  That's
> kind of funny <grins>.

IIRC security-support for sarge started befor its release.

Horst.

--

-- 
	"For I perceive that behind this seemingly unrelated sequence
of events, there lurks a singular, sinister attitude of mind."
	"Whose?"
	"MINE! HA-HA!"

Martin Wodrich | 8 Jul 17:53

Re: Debian Security Support in Place


Horst Pflugstaedt schrieb:

>> Now I LOVE Debian a lot.  It is my favorite distro, and I hope this
>> isn't seen as a flame.  But, two Debian releases in one year?  That's
>> kind of funny <grins>.
> IIRC security-support for sarge started befor its release.

But only one month before the release.

--
Mit freundlichen Grüssen,
Martin Wodrich

Petter Reinholdtsen | 9 Jul 19:34

Re: Debian Security Support in Place


[Martin Wodrich]
>> IIRC security-support for sarge started befor its release.
>
> But only one month before the release.

That depends on your definition of support.  The testing security team
was working hard to secure it a long time before sarge was released.

<URL:http://secure-testing.alioth.debian.org/>

Martin Wodrich | 10 Jul 09:22

Re: Debian Security Support in Place


Petter Reinholdtsen schrieb:

> [Martin Wodrich]
>>> IIRC security-support for sarge started befor its release.
>> But only one month before the release.
> That depends on your definition of support.

Ok, thats true.
I mean the posibility of security updates.

> The testing security team was working hard to secure it a long time before sarge was released.

Ok, thats fine.

--
Mit freundlichen Grüssen,
Martin Wodrich

Martin Wodrich | 8 Jul 17:23

Re: Debian Security Support in Place


Phillip Hofmeister schrieb:

>> The security team will continue to support Debian GNU/Linux 3.0 alias
>> woody until May 2006, or if the security support for the next release,
>> codenamed etch, starts, whatever happens first.
> Now I LOVE Debian a lot.  It is my favorite distro, and I hope this
> isn't seen as a flame.  But, two Debian releases in one year?  That's
> kind of funny <grins>.

But in the past there where some Debian Release with lesser than one
year from one to the other.

In Wikipedia there is a good table:
Debian Linux (Stable releases)
Version Name 	Datum
0.93R6 	- 	26. Oktober 1995
1.1 	Buzz 	17. Juni 1996
1.2 	Rex 	12. Dezember 1996
1.3 	Bo 	5. Juni 1997
2.0 	Hamm 	24. Juli 1998
2.1 	Slink 	9. März 1999
2.2 	Potato 	15. August 2000
3.0 	Woody 	19. Juli 2002
3.1 	Sarge 	6. Juni 2005
? 	Etch 	-

0.93R6 -> 1.1 :  8 month
1.1 -> 1.2    :  6 month
1.2 -> 1.3    :  6 month

(Continue reading)

Lupe Christoph | 9 Jul 10:22

Re: Debian Security Support in Place

> The security team will continue to support Debian GNU/Linux 3.0 alias
> woody until May 2006, or if the security support for the next release,
> codenamed etch, starts, whatever happens first.

This is equivalent to saying "We will rip security support for oldstable
from under your feet at any time just as we please".

This is not acceptable in a production environment. May 2006 is less
than a full year anyhow, which is very short for a production
environment.

I have several machine I cannot update before January 2006 because I
have a contract that keeps me busy fulltime for a different customer.
That contract may be prolonged.

Incidentally, that customer is using SLES 8 (SuSE Linux Enterprise
Server) and has no capacity to upgrade to SLES 9 for at least a year.
With SLES 8, this is not a problem because of the long suppprt
timeframe. Which is exactly the reason they go with SLES rather than the
regular SuSE releases.

So in essence the announcement says "screw you, commercial customers".

Please don't do that. It makes promoting Debian awkward.

Thank you for your attention,
Lupe Christoph
--

-- 
| lupe <at> lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| Ask not what your computer can do for you                              |

(Continue reading)

martin f krafft | 9 Jul 10:37

Re: Debian Security Support in Place

also sprach Lupe Christoph <lupe <at> lupe-christoph.de> [2005.07.09.1022 +0200]:
> > The security team will continue to support Debian GNU/Linux 3.0
> > alias woody until May 2006, or if the security support for the
> > next release, codenamed etch, starts, whatever happens first.
> 
> This is equivalent to saying "We will rip security support for
> oldstable from under your feet at any time just as we please".

No, it's not. It's worded a little awkwardly, but herewith you get
my promise that etch will not happen first. So May 2006 it is. You
are welcome to get those companies to come up with funding to allow
us to pay 1-2 people taking care of sarge after May 2006.

And if that is unacceptable to you: Ubuntu has announced a 5 year
support plan for server systems:
  http://www.ubuntulinux.org/UbuntuFoundation

--

-- 
Please do not send copies of list mail to me; I read the list!

 .''`.     martin f. krafft <madduck <at> debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system

Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

"it is easier to be a lover than a husband for the simple reason
 that it is more difficult to be witty every day
 than to say pretty things from time to time."

(Continue reading)

Lupe Christoph | 9 Jul 12:25

Re: Debian Security Support in Place

On Saturday, 2005-07-09 at 10:37:27 +0200, martin f krafft wrote:
> also sprach Lupe Christoph <lupe <at> lupe-christoph.de> [2005.07.09.1022 +0200]:
> > > The security team will continue to support Debian GNU/Linux 3.0
> > > alias woody until May 2006, or if the security support for the
> > > next release, codenamed etch, starts, whatever happens first.

> > This is equivalent to saying "We will rip security support for
> > oldstable from under your feet at any time just as we please".

> No, it's not. It's worded a little awkwardly, but herewith you get
> my promise that etch will not happen first. So May 2006 it is. You
> are welcome to get those companies to come up with funding to allow
> us to pay 1-2 people taking care of sarge after May 2006.

If I can get the customer who owns the Woody system to fund *me* for
upgrading them, I'll be glad...

> And if that is unacceptable to you: Ubuntu has announced a 5 year
> support plan for server systems:
>   http://www.ubuntulinux.org/UbuntuFoundation

Let's not discuss Ubuntu here, so I just say I'm running a Debian
Testing system, and that is running quite nicely without any "Testing
will be broken for the next few months". Having Unstable and Experimental
is a Very Good Thing.

I set up two servers with Testing even though I could not be sure when
fixes for security holes would come up. These have now migrated to Stable
because I used "sarge" rather than "testing" in /etc/apt/sources.list.
And the are updated when an applicable DSA comes out.

(Continue reading)

Martin Schulze | 9 Jul 10:42

Re: Debian Security Support in Place

Lupe Christoph wrote:
> > The security team will continue to support Debian GNU/Linux 3.0 alias
> > woody until May 2006, or if the security support for the next release,
> > codenamed etch, starts, whatever happens first.
> 
> This is equivalent to saying "We will rip security support for oldstable
> from under your feet at any time just as we please".

No, it is not.  Please read again.

> This is not acceptable in a production environment. May 2006 is less
> than a full year anyhow, which is very short for a production
> environment.

It'll be end of May 2006, which will be one year minus 6 days or so
after the release of sarge.  Do we need to discuss days?

> So in essence the announcement says "screw you, commercial customers".

Please read again, you failed.

Regards,

	Joey

--

-- 
Reading is a lost art nowadays.  -- Michael Weber

Please always Cc to me when replying to me on the lists.

(Continue reading)

Robert Lemmen | 9 Jul 15:39

Re: Debian Security Support in Place

On Sat, Jul 09, 2005 at 10:22:29AM +0200, Lupe Christoph wrote:
> So in essence the announcement says "screw you, commercial customers".
> 
> Please don't do that. It makes promoting Debian awkward.

are you aware that we are talking about *oldstable* here? it was
released july 2002, i think if it is supported until may 2006(one year
after it got replaced with a new stable version) that's quite a long
timeframe and a very good reason for promoting debian!

cu  robert

--

-- 
Robert Lemmen                               http://www.semistable.com

Sven 'Rae the Git' Grounsell | 9 Jul 18:51

Re: Debian Security Support in Place

Robert Lemmen <robertle <at> semistable.com> wrote:

> On Sat, Jul 09, 2005 at 10:22:29AM +0200, Lupe Christoph wrote:
> > So in essence the announcement says "screw you, commercial
> > customers".
> > 
> > Please don't do that. It makes promoting Debian awkward.
> 
> are you aware that we are talking about *oldstable* here? it was
> released july 2002, i think if it is supported until may 2006(one
> year after it got replaced with a new stable version) that's quite a
> long timeframe and a very good reason for promoting debian!

Also, you are IMHO ignoring, that Debian is one of the _very_ few
distros, that provides _seamless_ upgrades between even major
releases. The only other distro, which comes close to the "debian-way
of upgrading" is afaik Gentoo (which is no alternative for productive
server-systems for obvious reasons).

On my behalf, i used to install a base-system with a
woody-netinstall-image to setup a sarge-system for customers, who
wanted a more up2date system - this never made any problems worth
speaking of.

And THIS is a very strong pro Debian argument - you don't need to
re-setup your server every so-often (like you would have to do with,
say, SuSE), but you can, if you wish, even slowly migrate your server,
service by service to more recent versions/releases and deal with
probable changes in configuration or handling one by one and don't
have to do the whole lot at once.

(Continue reading)

Petter Reinholdtsen | 9 Jul 19:38

Re: Debian Security Support in Place


[Sven 'Rae the Git' Grounsell]
> Also, you are IMHO ignoring, that Debian is one of the _very_ few
> distros, that provides _seamless_ upgrades between even major
> releases.

This is a slight exaggeration, as this do not really work very
seamlessly for packages where the configuration was changed.  I get a
lot of conffile questions during upgrades when trying to upgrade my
woody servers to sarge, and I would not call that seamless.

And for desktops, I ran into several problems with the package
selection when upgrading.  apt-get and aptitude wanted to remove
several of the packages instead instead of upgrading them.

martin f krafft | 10 Jul 12:20

Re: Debian Security Support in Place

also sprach Sven 'Rae the Git' Grounsell <sven <at> tuxhilfe.de> [2005.07.09.1851 +0200]:
> Also, you are IMHO ignoring, that Debian is one of the _very_ few
> distros, that provides _seamless_ upgrades between even major
> releases. 

No matter how seamless, dist-upgrades require a lot of time for
testing afterwards.

--

-- 
Please do not send copies of list mail to me; I read the list!

 .''`.     martin f. krafft <madduck <at> debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system

Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

why didn't noah swat those two mosquitoes?

Jan Lühr | 9 Jul 10:51

Re: Debian Security Support in Place

(open letter to the debian security team)
Greetings,..

on friday, 8th july 2005 07:58 Martin Schulze wrote:

[...]
> The Debian project confirms that the security infrastructure for both
> the current release Debian GNU/Linux 3.1 (alias sarge) and the former
> release 3.0 (alias woody) is working again.  The security team is now
> able to provide updates on a regular basis again.
[...]
> There were several issues with the security infrastructure after the
> release of sarge, that lead to the Debian security team being unable
> to issue updates to vulnerable packages.  These issues have been fully
> resolved, and the infrastructure is working correctly again.

Nice to hear, thanks to all. You obviously spent a lot of time and efforts in 
restoring  debian security. Thanks.

But maybe, some rather constructive critism is required as well- and
ehm, well, to be honest, imho this is not satisfying:

It has never been official announced, that the security infrastructure is not 
working. It is quite confusing, that you report the end of problems you 
haven't reported at first, furthermore if the end of this problem justifies 
an official debian announce, the beginning of this problem should have been 
announced to.
Knowing a security problem is imho probably more important than knowing not 
having a problem, because, a security problem requires defensive actions.

(Continue reading)

Return

Return to gmane.linux.debian.user.announce.

Advertisement

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane