LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security Support for Debian 3.1 to be terminated

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 6:35 UTC (Mon) by Cato (subscriber, #7643)
In reply to: Security Support for Debian 3.1 to be terminated by sbergman27
Parent article: Security Support for Debian 3.1 to be terminated 

If you prefer a Debian-based distribution, Ubuntu's Long Term Support versions offer security
update support on servers for 5 years - e.g. Ubuntu 6.06 LTS.  

As others have pointed out, it's relatively easy to upgrade from one Debian/Ubuntu version to
another - e.g. when Ubuntu 8.04 LTS comes out in April 2008, you can run "update-manager" to
do an automated upgrade.  Some people do have problems with upgrades, mostly due to hardware
support or third party programs/repositories, but on a clean system with most hardware it
should be no problem.  I would expect a well managed Ubuntu server to upgrade very easily, as
with Debian.

At least with Linux you can decide how long a support lifetime you require for any given
version - and if you prefer Debian you can simply contract with various companies who will
provide support (beyond security updates), though once security updates are no longer provided
the cost of support would increase a lot.

(Log in to post comments)

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 9:27 UTC (Mon) by drag (subscriber, #31333) [Link] 

I don't think he is saying anything bad about the need to upgrade...


But anyways. What I am truly interested in with Ubuntu LTS is how well they are able to keep
up on security updates for 'unofficial' portions of it's OS. Namely anything from the universe
or multiverse repositories. The thing is is that Ubuntu only officially supports a small
fraction of what Debian does. The majority of what makes up Debian is something that Ubuntu
makes no promises about.

So the question is is whether or not you can expect your system to keep up to date
(security-wise) if you install a bunch of packages from universe. If you have to restrict
yourself to the 'main' then that isn't very good, but if the community is able to keep up with
everything then that's fine.  Not trying to make any FUD or anything, but I am not nearly
familiar with Ubuntu as I am with Debian and am curious how all that works out.

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 13:42 UTC (Mon) by Cato (subscriber, #7643) [Link] 

That's a good point about Ubuntu - the lack of security updates for Universe could be an
issue.  Basically for anything security sensitive in Universe, you need to track another
source of updates, which could be Debian or directly from upstream.  However, the Ubuntu
statement on all this makes it clear that if upstream does a security fix, Universe should
pull this in.

I'm curious why Ubuntu doesn't provide security updates for as many packages as Debian, though
...  anyone know the answer?

Multiverse is for unsupported binaries, so it's best to go direct to the vendor (e.g. Opera
has its own repository which works nicely with APT), and Restricted is for supported binaries
such as some video drivers.

If you have a server, it's worth ensuring that everything you need is in the main part of
Ubuntu - if there are additional packages that are security sensitive, it's worth tracking
public alert lists or the specific alert lists from upstream.

For desktops, you still need to exercise a little care in choice Universe components, but the
real risk of compromise is very low as most vulnerabilities would be through desktop clients
such as web, email, PDF readers, media players, etc, and of course those mostly target Windows
and Mac - at least for now.  (I just encountered another friend's Windows PC that had a
particularly nasty piece of spyware called Vundo that is not prevented or fixed by their up to
date Norton Internet Security package - instead you need to download some freeware to fix it,
and use Firefox to avoid getting it in the first place...  if this was an Ubuntu box it would
not have had spyware in the first place.)

Security Support for Debian 3.1 to be terminated

Posted Mar 3, 2008 17:44 UTC (Mon) by vonbrand (subscriber, #4458) [Link]

I'm curious why Ubuntu doesn't provide security updates for as many packages as Debian, though ... anyone know the answer?

Manpower required? (No, "Canonical is a company, they have money" doesn't cut it).

Maintaining old software is boring, backporting security fixes from (increasingly remote) head versions is delicate, painstaking work, and requires people intimately acquainted with the codebases. They are in rather short supply.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds