LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Keeping older Debian distributions secure

[Posted November 6, 2002 by corbet]

The Debian Project has sent out a survey in an attempt to figure out how many users are still using the "Potato" distribution. The project's goal is clear: they want to figure out when they can stop providing security updates for that version of the distribution. Pulling the plug on Potato may seem a bit premature, given that Woody was only released back in July. But, for Debian, this move is already late; remember that support for Debian 2.1 ("Slink") was withdrawn just one month after the Potato release.

Debian is different from most distributions, of course, in that its users are expected to upgrade quickly. Given the ease of the process, there is generally little reason to wait. But the simple fact is that people do not like to upgrade working systems. If a computer is happily doing the tasks assigned to it, why thrash up the operating system and break things? Commercial distributors understand this inertia, and most of them go out of their way to support old distributions for at least a couple of years. As a volunteer-driven distributor, the Debian Project has had the freedom to cut off support sooner (because it does not have paying customers), and the need to do that, because it does not have paid developers who can be sent off to patch holes in ancient packages.

The fact that the Debian Project is asking for input this time, rather than simply cutting off support after one month, shows a new sensitivity toward the needs of users beyond the Debian developer community. This is a good thing, of course, but Debian, by its nature, will still be limited in the amount of support it can provide for older versions of its distribution. This is an area where companies that ship commercial versions of Debian could contribute back to the project. By paying somebody to fix security problems in older versions of Debian GNU/Linux, these distributors can enhance the value of their own products while supporting the project that supports them.

So far, no vendor of Debian-based distributions has stepped up to this plate. Indeed, Debian-based distributors tend not to bother with security updates at all, since the Debian Project itself does such a good job with them. If these companies are serious about using Debian as a base for a commercial product, however, they are going to have to get a bit more serious about long-term support. Otherwise, they are likely to find their customers going elsewhere.

(Log in to post comments)

Total length of support period is similar

Posted Nov 7, 2002 9:33 UTC (Thu) by haggai (guest, #2002) [Link]

> Otherwise, they are likely to find their customers going elsewhere.

While talking to people at the Expo last week, I heard that many server administrators using a commercial distro tend to run a particular version for as long as it is supported, and only perform an upgrade when that version is no longer supported. Then the newest version is installed and run until no longer supported. This reduces the maintainence time needed by the admin.

Potato was first released in August 2000, so even if support was dropped now it would have been supported over a 2 year period. Looking at the websites, SuSE and Mandrake are supported for 2 years and Red Hat offers 1 year for RH 8.0 and 3-5 years for the Advanced Server.

So from the aspect of 'how long can I run this version for?', Debian is just as good as other vendors, except for RH's Advanced Server. Of course, my argument only holds for long running systems - people installing 'the latest version' in say, Spring of this year, won't be able to run for a full 2 years on the Potato version that they installed. Still, upgrading Debian is significantly easier than average - did I tell you it isn't even necessary to reboot :-)

Chris Halls
Debian OpenOffice.org team

Total length of support period is similar

Posted Nov 8, 2002 4:24 UTC (Fri) by wolfrider (guest, #3105) [Link]

Yep. I started out with Old-Skool Red Hat (5.x??), went to Mandrake as soon as it came out, dropped them for SuSE 6.x and then paid for SuSE 7.3 Pro (DVD.)

SuSE 8.x IMHO, is not what I need. I count myself incredibly lucky to have discovered KNOPPIX - and that got me interested in Debian. :)

Apt-* RULES!!
.

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds