Security Support for Debian 3.1 to be terminated [LWN.net]

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 4:43 UTC (Mon) by sbergman27 (subscriber, #10767) [Link]

I would note that if Microsoft dropped support for a version of Windows after less than 3
years we'd all be screaming bloody murder and talking about upgrade treadmills.  Fortunately,
we do have RHEL and CentOS, with 7 years of support, for real enterprise use.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 5:36 UTC (Mon) by beoba (guest, #16942) [Link]

You get what you pay for?

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 5:41 UTC (Mon) by ikm (subscriber, #493) [Link]

> I would note that if Microsoft dropped support for a version of Windows after less than 3
years we'd all be screaming bloody murder and talking about upgrade treadmills. 

..unless these upgrades didn't require buying them and upgrading hardware in order to run
them. So I think this comparison is just not true -- these are not upgrades to begin with, but
instead some completely new systems.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 16:25 UTC (Mon) by sbergman27 (subscriber, #10767) [Link]

No upgrade is free.  There are *always* costs associated with them, even when there are no
licensing costs involved.  So saying that Debian is a free upgrade doesn't really cut it.  Any
enterprise depending upon Debian is now being forced to spend money and human resources due to
Debian's relatively short life-cycle.

The reason I bring this up is that I often see Debian being pitched as an enterprise OS in the
same breath as RHEL and SLES.  This seems as good a time as any to point out a problem with
that pitch.  And it is one which is entirely addressable.

Someone else has already pointed out Ubuntu Server LTS, which I neglected to mention.  My
mistake.  But I'm not sure that Debian fans are going to be comfortable with the idea of
Ubuntu being the stable enterprise OS with Debian being classified as the fly-by-night option.
;-)

Also, someone below points out that they did not think that I was saying that there was
anything necessarily wrong with upgrades.  They are correct.  All actions and all policies
have consequences.  I am merely pointing out one of the consequences of a < 3 year OS
life-cycle policy.

It is not enough for the maintainer of an enterprise class OS to talk the talk.  They must
also walk the walk.  And long term support is very much a part of that walk.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 20:42 UTC (Mon) by vmole (subscriber, #111) [Link]

Any enterprise depending upon Debian is now being forced to spend money and human resources due to Debian's relatively short life-cycle.

Of course, they didn't pay anything up front (except the install resources, which would be similar for any distribution.) And during the supported time, they had security support and updates that didn't break existing systems. And now that they do have to upgrade, they're getting the smoothest upgrades available. And it's not like anyone *promised* them 7 year support...so I have a hard time seeing the valid complaints. Businesses are supposed to evaluate choices and make the best one, for their circumstances. If you want a Debian system with longer supported lifecycles, start a company and do it.

And I find it terribly amusing (and sad) that Debian can't win. They're giving away software and a huge amount of effort, and people either bitch about too many updates, or not enough.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 22:11 UTC (Mon) by sbergman27 (subscriber, #10767) [Link]

"""
Of course, they didn't pay anything up front (except the install resources, which would be
similar for any distribution.)
"""

The human resources being the largest part of the lifetime cost of most any OS running on
commodity hardware.

"""
And during the supported time, they had security support and updates that didn't break
existing systems. And now that they do have to upgrade, they're getting the smoothest upgrades
available.
"""

Those statements are unproven. Maybe they did have breakage. And maybe they didn't. And no
upgrade to a server with a complex config is ever really smooth. There are always snags.

"""
And it's not like anyone *promised* them 7 year support...
"""

That's for sure. Debian tries to commit to as little as possible.

"""
Businesses are supposed to evaluate choices and make the best one, for their circumstances. If
you want a Debian system with longer supported lifecycles, start a company and do it.
"""

There is no point in my starting a company to provide an OS with long term support. I just
use RHEL or CentOS when such is needed. And I presume larger enterprises do the same. (I'm
taking a wait and see attitude regarding Ubuntu Server LTS.) You are really missing my point
in your haste to interpret my post as an attack upon Debian. It is obvious to me, based upon
posts which I have read from time to time, which posit Debian as an enterprise class OS next
to RHEL, CentOS, and SLES, that a certain segment of the Debian community fancies Debian to be
an enterprise class OS. To operate in that capacity, the distro maintainers must give
enterprise customers what they want. And believe it or not, a nominal price tag or $0 with no
promises given comes pretty far down the list of features attractive to such a customer. We
in the FOSS world really do lean too hard on the "Well, you didn't pay anything for it!"
excuse, and also upon the marketing value of a $0 price tag, which is, in fact, limited.

Instead of saying that enterprises should evaluate their needs and select accordingly, it
seems to me that it would be more beneficial to consider giving the enterprise customers what
they want. That is assuming that Debian *wants* to be considered an enterprise OS. If they
do not, then that is OK. I'm only going by evidence that I see that some in the Debian
community view it as such.

"""
And I find it terribly amusing (and sad) that Debian can't win. They're giving away software
and a huge amount of effort, and people either bitch about too many updates, or not enough.
"""

It really is not the catch 22 that you depict. And RedHat's policies can be held up as an
example of what would be required: A somewhat predictable release cycle of about 18-24
months, and at least 5 years support for each release. RedHat provides 7 years, in three
phases:

http://tinyurl.com/28orla

And considering RedHat's excellent customer loyalty rating, I would say that the recipe which
they use is a good one.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 22:57 UTC (Mon) by vmole (subscriber, #111) [Link]

Of course the human resource is the biggest cost in any large installation. But those costs are ongoing regardless of the distribution, and it is not unreasonable that for a large installation, the cost of an upgrade every three years instead of six is evaluated as being less than the cost of "Enterprise Class" OS licenses. And while support contracts may be desirable to some enterprise customers, to some they're not. They have in-house expertise, and while the vendor license isn't a big fraction of the total cost, it is, to some, pure waste.

(Originally, I wrote a few paragraphs arguing about the Debian upgrades were definitely smoother and easier than RH. But then we'd just end up arguing details and preferences, so why bother.)

To operate in that capacity, the distro maintainers must give enterprise customers what they want.

Debian maintainers give its customers *exactly* what they want. That's because Debian maintainers *are* the customers. Some of them work for large enterprises, and some of them don't. The fact that many others find the distribution useful is a bonus. But they're not the customers. That's the whole point: Debian is NOT a commercial distribution. If Debian is not suitable for your purposes, DON'T USE IT. I don't care.

Security Support for Debian 3.1 to be terminated

Posted Mar 4, 2008 0:31 UTC (Tue) by ikm (subscriber, #493) [Link]

I totally agree with you when you say that Debian is not an enterprise OS -- of course it
isn't. Enterprise offerings are about guarantees and support -- that's definitely not Debian,
which comes with no warranties and no support promises whatsoever.

On a different note, I would like to notice that upgrading sarge to etch and upgrading xp to
vista are two wholly different experiences with two completely different results, and that is
what I was actually talking about.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 6:07 UTC (Mon) by njs (subscriber, #40338) [Link]

Oh, come on.  A suggestion: if you look at your comment and realizes that it involves
comparing *Debian* to *Microsoft*, then stop and ask yourself what you're trying to do.  If
your answer is "troll", then carry on.  If the answer is "attempt to contribute to a
thoughtful discussion", then maybe consider an analogy that communicates your point without
being pointlessly inflammatory?  Because if you really want to talk about the trade-offs in
providing and procuring multi-year support for distributions, we can do that, but coming
across as a propagandizing fanboy (it's the way you use "real" that clinches it, here) just...
doesn't get us there.  All it does it make people either roll their eyes or nod in agreement,
depending on whether their existing prejudices match yours.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 23:29 UTC (Mon) by GreyWizard (subscriber, #1026) [Link]

Well said.

Security Support for Debian 3.1 to be terminated

Posted Mar 4, 2008 0:01 UTC (Tue) by sbergman27 (subscriber, #10767) [Link]

If you consider my post to be of an inflammatory nature, you have obviously  completely
misinterpreted it.  I sometimes fail to sugar coat my observations enough to avoid offending
some Debian users.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 6:35 UTC (Mon) by Cato (subscriber, #7643) [Link]

If you prefer a Debian-based distribution, Ubuntu's Long Term Support versions offer security
update support on servers for 5 years - e.g. Ubuntu 6.06 LTS.  

As others have pointed out, it's relatively easy to upgrade from one Debian/Ubuntu version to
another - e.g. when Ubuntu 8.04 LTS comes out in April 2008, you can run "update-manager" to
do an automated upgrade.  Some people do have problems with upgrades, mostly due to hardware
support or third party programs/repositories, but on a clean system with most hardware it
should be no problem.  I would expect a well managed Ubuntu server to upgrade very easily, as
with Debian.

At least with Linux you can decide how long a support lifetime you require for any given
version - and if you prefer Debian you can simply contract with various companies who will
provide support (beyond security updates), though once security updates are no longer provided
the cost of support would increase a lot.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 9:27 UTC (Mon) by drag (subscriber, #31333) [Link]

I don't think he is saying anything bad about the need to upgrade...


But anyways. What I am truly interested in with Ubuntu LTS is how well they are able to keep
up on security updates for 'unofficial' portions of it's OS. Namely anything from the universe
or multiverse repositories. The thing is is that Ubuntu only officially supports a small
fraction of what Debian does. The majority of what makes up Debian is something that Ubuntu
makes no promises about.

So the question is is whether or not you can expect your system to keep up to date
(security-wise) if you install a bunch of packages from universe. If you have to restrict
yourself to the 'main' then that isn't very good, but if the community is able to keep up with
everything then that's fine.  Not trying to make any FUD or anything, but I am not nearly
familiar with Ubuntu as I am with Debian and am curious how all that works out.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 13:42 UTC (Mon) by Cato (subscriber, #7643) [Link]

That's a good point about Ubuntu - the lack of security updates for Universe could be an
issue.  Basically for anything security sensitive in Universe, you need to track another
source of updates, which could be Debian or directly from upstream.  However, the Ubuntu
statement on all this makes it clear that if upstream does a security fix, Universe should
pull this in.

I'm curious why Ubuntu doesn't provide security updates for as many packages as Debian, though
...  anyone know the answer?

Multiverse is for unsupported binaries, so it's best to go direct to the vendor (e.g. Opera
has its own repository which works nicely with APT), and Restricted is for supported binaries
such as some video drivers.

If you have a server, it's worth ensuring that everything you need is in the main part of
Ubuntu - if there are additional packages that are security sensitive, it's worth tracking
public alert lists or the specific alert lists from upstream.

For desktops, you still need to exercise a little care in choice Universe components, but the
real risk of compromise is very low as most vulnerabilities would be through desktop clients
such as web, email, PDF readers, media players, etc, and of course those mostly target Windows
and Mac - at least for now.  (I just encountered another friend's Windows PC that had a
particularly nasty piece of spyware called Vundo that is not prevented or fixed by their up to
date Norton Internet Security package - instead you need to download some freeware to fix it,
and use Firefox to avoid getting it in the first place...  if this was an Ubuntu box it would
not have had spyware in the first place.)

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 17:44 UTC (Mon) by vonbrand (subscriber, #4458) [Link]

I'm curious why Ubuntu doesn't provide security updates for as many packages as Debian, though ... anyone know the answer?

Manpower required? (No, "Canonical is a company, they have money" doesn't cut it).

Maintaining old software is boring, backporting security fixes from (increasingly remote) head versions is delicate, painstaking work, and requires people intimately acquainted with the codebases. They are in rather short supply.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 11:14 UTC (Mon) by tialaramex (subscriber, #21167) [Link]

Less than three years from what though? Windows XP is still supported after five years or
so... but only if you upgraded to Service Pack 2. Your Debian system is still supported too...
if you're willing to upgrade it to version 4.0

In both cases this "required" upgrade isn't too difficult but it might sabotage compatibility
with 3rd party software, require configuration changes to get things working smoothly again
and you may need some re-training. Applying "Service Pack 2" /sounds/ less drastic than the
upgrade from Debian 3.1 to 4.0 but that's about it.

Microsoft and Red Hat are both in the situation that they'd quite like customers to run the
stuff that's near the cutting edge, but they don't want to lose customers who can't or won't
do that. Every old version supported costs money, which they'd prefer to spend on R&D for the
new versions. Both of them have shifted to a model where customers (big corporate ones at
least) can run whatever version of the OS they like for the same annual fee, with a rolling
cycle of upgrades.

For a community maintained operating system you have to make a decision about where the
community's priorities lie and follow that. Debian and Fedora have taken radically different
decisions here, but I think both are successful at what they do.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 13:24 UTC (Mon) by ahoh (guest, #17291) [Link]

Wasn't sarge the last debian distribution to support the 2.4 kernel series?

That might have been quite a good reason for delaying upgrades (third party anyone?).

I found debian upgrades quite painless ... just the Kernel issue is a hard limit.

Well, I guess I have to bite the carrot ....

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 20:50 UTC (Mon) by vmole (subscriber, #111) [Link]

For what it's worth, I'm running an etch server on a 2.4 kernel with no problems. No udev, obviously, but it's a server, so who cares? So long as glibc and the core system utilities (e.g. filesystem stuff) maintains compatibility, no problem.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 21:12 UTC (Mon) by tzafrir (subscriber, #11501) [Link]

One point to consider regarding the upgrade path:

Debian covers much more of the software you'll need in the supported and tested main
repository. Upgrading of packages in main is actually tested.

Yes, migrating the data will probably take work in some cases. But much of the work is
automated by maintainers scripts.

Enterprise distributions support less software for longer time periods. One result is that
you'll have to use more custom software of your own.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 22:53 UTC (Mon) by man_ls (subscriber, #15091) [Link]

Good point. 14k packages (in Sarge) is a lot, and probably covers most "real enterprise use" you might imagine, unlike with some other OS vendors. (Some more than others.)

Also note that the upgrade path is supported: bugs in the OS upgrade are treated like real bugs, unlike with some other OS vendors who will tell you "oh it's just so hard". So by the time support for a version is dropped the upgrade path to the next is well tested and will probably go smoothly.