Features Download
From: Russ Allbery <rra <at> debian.org>
Subject: Re: Dreamhost dumps Debian
Newsgroups: gmane.linux.debian.devel.general
Date: Tuesday 20th August 2013 18:25:16 UTC (over 4 years ago)
Ian Jackson  writes:
> Pau Garcia i Quiles writes ("Re: Dreamhost dumps Debian"):

>> The same people that maintain the packages in sid and stable: the
>> maintainer(s) for each package. [...]

> That is not the case.  At the moment most of this is done by the
> Debian security team.  Of course some package maintainers do help.

I consider it part of my responsibility as a package maintainer to provide
security support for my packages for as long as Debian does.  If I felt
like I couldn't do that, I would orphan the package or look at having it
removed from Debian.  I don't think there's any way that one team can
scale to providing security support for the entire archive; it's hard for
them to even track the existence of issues for the entire archive.

But even apart from manpower, I think there are some real challenges to
providing security support for any longer than we do, to the degree that I
feel like the security support that Ubuntu and Red Hat claim to provide is
partly illusory.  My experience is that I can just barely manage to
convince upstreams to look over my backports of security patches to
packages in oldstable; another two years would be so far out of upstream's
willingness to even consider the package that Debian would be entirely on
its own for quite a lot of packages.  Frequently, the version in oldstable
is already past upstream's official end of life announcement.  And it's
rare to see much involvement of Red Hat or Ubuntu security folks in those

I don't want to be unfair to Red Hat's and Ubuntu's security teams, who do
a lot of hard and excellent work, and I realize that both have paid
employees doing this and therefore more resources available.  But even
given that, I suspect that, towards the end of that five year cycle, the
number of security fixes that are actually backported is fairly limited,
and quite a lot of triage is being done, even beyond the core versus
universe distinctions.  They'd be working without any assistance from the
upstream maintainers in many cases.

Two year upgrade cycles are uncomfortable for a lot of production IT
organizations, including the one I work for.  But even if Debian claimed
to support software for longer, I personally would be quite leery about
relying on that given my experience with talking to upstream projects
about security vulnerabilities.  I'm painfully aware of the steep cliff
dropoff of upstream support for security fixes once you go beyond two
years after the release of the software.  Beyond that point, even if you
do get security fixes, you're probably getting fixes that have been
backported by people with only a vague knowledge of the code, fixes that
often have not been thoroughly tested or tested by someone who uses the
software in question and that upstream has never looked at and will
disclaim any knowledge of or support for.

As painful as it is, if you are worried about security in a production
environment, falling more than a couple of years behind current
distribution releases is probably not in your best interests no matter
what security support you supposedly have.

Russ Allbery ([email protected])               <http://www.eyrie.org/~eagle/>
CD: 4ms