LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Distributions

Stable distributions and unstable software

By Jake Edge
May 16, 2012

Some projects evolve quickly, with rapid release cycles that often leave older major versions behind. That may work just fine for users who are getting the code directly from the project, but it can be problematic for users getting the code from distributions. The problem becomes more acute when security updates are wrapped up inside releases for new features and other bug fixes. The tension between stability and the latest and greatest version was discussed in a recent debian-devel thread regarding WordPress, but the problem goes beyond just Debian—or WordPress.

The discussion started from a bug report filed by Bernd Zeimetz entitled "wordpress: no sane way for security updates in stable releases". He was reacting to a recent wordpress security update that upgraded Debian's wordpress package (based on 3.0.5) to the latest upstream version (3.3.2) because "specific fixes are usually not identified", which makes it difficult or impossible to backport the fixes. The update announcement goes on to warn users that compatibility (especially for plugins or themes that have been installed) may be impacted by the update.

That's not generally the experience that Debian users expect. As Zeimetz put it:

Being forced to upgrade to a new major version by a stable security support is nothing we should force our users to. Debian stable is known for (usually) painfree updates and bugfixes only, not for shipping completely new versions with a forced migration.

His suggestion was to leave WordPress out of the upcoming "Wheezy" (7.0) release "until upstream handles such issues in a sane way". It's not the first time that idea has been raised. Back in 2007, Moritz Muehlenhoff argued that "Etch" (Debian 4.0) should not ship WordPress due to its security track record. That suggestion was overridden by a vote of the technical committee. So far, at least, it doesn't seem like Zeimetz's bug (which was closed by Muehlenhoff) is headed toward the technical committee, but it did bring up some interesting discussion.

The general consensus seemed to be that WordPress (and other web-oriented applications and frameworks) just move too fast to fit in well with the Debian stable model. Each new release of WordPress likely has some security fixes, Russell Coker said, that are undocumented, so the safest approach is to always update to the newest release. That led Jon Dowland to wonder what value Debian is providing by packaging WordPress if there are no stability guarantees. Several people suggested that it does provide for an easy way to install and upgrade the package, though it is a bit unclear how many people actually do things that way.

In the thread, several users said that they install directly from upstream, rather than using the packages, for a number of reasons. There are numerous plugins and themes for WordPress, many of which are not packaged for Debian for licensing or other reasons, and that typically require the latest version to function. In addition, the Debian package is not really targeted at multi-blog installations. For example, Russ Allbery described the reasons that Stanford University installs from upstream; others concurred with that assessment.

Other distributions have essentially been forced down the same path that the recent Debian update took. Fedora, for example, also updated to the latest WordPress in order to fix a number of security problems. Fedora users are probably more used to living on (or close to) the bleeding edge than Debian stable users are. But maintaining a package that upstream has left far behind for 2-3 years, as Debian tries to do, is likely to be difficult.

Evidently, WordPress doesn't have a lot of interest in declaring a stable release to maintain over that kind of time frame. That's not a surprise, nor a knock on WordPress, as the web moves very quickly and the project can make its own decisions about how to support its users. That said, it would certainly help distributions and others to give better information about security fixes so that backports could potentially be made. While the WordPress security track record may have gotten better over the years—that depends on whom you listen to— some of the same problems that we wrote about in 2009 persist.

The problem is not limited to WordPress, of course, as there are lots of projects, particularly in the web space, that are rapidly updating and leaving their older major versions behind. Firefox is another example of a project that generally forces distributions to upgrade to the latest version due to its rapid release cycle (though the extended support release may blunt the impact for some distributions). Other content management systems, web browsers, frameworks, and so on, have had similar situations that required a major version upgrade for security fixes.

It is still an open question how Linux distributions should handle packaging these kinds of projects. One possible solution for Debian is just to document the problem as is done for browsers, which was suggested by Martin Bagge. Essentially, Debian alerts users that some browsers may not get updates because of the lack of a long-term maintenance branch.

This is yet another example of the difficulty in maintaining a stable base using an ever-shifting array of parts. Distributions are dependent on the upstream projects, but those projects may have an entirely different focus. For distributions like Fedora that turn over every year or so, it's less of an issue, but distributions like Debian (or Ubuntu LTS) are going to have to carefully decide which packages they can maintain—and how they maintain them—over the long haul.

In the future, it may make sense to explore other options. Perhaps distributions could concentrate on the core "plumbing" of the system (libraries, desktops, development tools, utilities, etc.) while providing a means for users to easily install applications (especially fast moving ones) from upstream. That is the model that the Google's Play store follows for Android, and Ubuntu is experimenting with that to some extent in its Ubuntu Software Center. With cooperation of the upstream projects, some kind of middle ground might be found between using the package manager and installing upstream code with an entirely different mechanism. There are lots of things to like about the Linux distribution model, but that doesn't mean that there is no room for improvement.

Comments (26 posted)

Brief items

Distribution quotes of the week

-kgd, longtime RedHat-er torn between a distro that I get along with and a distro with at least three kitchen sinks included
-- Kris Deugau

Recipe to stop biggerism: Stop upgrading everything.
-- Chris Murphy

I have a Fedora sticker in front of *acebook*.

All I need is for folks to come up and ask me whats the deal with that? Next thing ya know, I am telling them about Linux, Fedora, and the Beefy Miracle. Sense of humor is key here. If life gives you lemons, make lemonade. Then maybe put some booze in it, and share it with others. At this point, you and your new friends can talk about the bastard that thought it was a good idea to give you lemons.

-- Mark Terranova

Comments (none posted)

Debian Administrator's Handbook published -- and Freed

The Debian Administrator's Handbook by longtime Debian developers Raphaël Hertzog and Roland Mas has been published in a wide variety of formats. Due to a successful "liberation" fundraising campaign, it is also freely available. "This translation into English of the fifth edition of the French “Cahier de l'Admin Debian” (published by Eyrolles) has been crowdfunded, and the results are just released. The funding campaign was so successful that the book is even published under not one but two free licenses (GPL-2+ and CC-BY-SA-3). It is available as paperback, in several electronic formats for easy consumption, and even browsable online from the website. And of course, it's also been made available to Debian users in the "debian-handbook" package."

Full Story (comments: 2)

Red Hat Celebrates 10 Years of Red Hat Enterprise Linux

It's been 10 years since Red Hat first released Red Hat Enterprise Linux. Here's a press release.

Comments (1 posted)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

Notes from the Ubuntu Developer Summit (The H)

The H rounds up reports from the Ubuntu Developer Summit that is currently being held in Oakland, California. Chris Kenyon, Canonical's Vice President of OEM Services, reports that Ubuntu shipped pre-installed on 8-10 million computers last year and predicted that it would ship on 18 million next year (which would be 5% of the market, he said). Also: "Ubuntu developers are planning to fork the GNOME Control Center to create their own Ubuntu Control Center package. Other than GNOME Shell, it is planned that the installation CD for Ubuntu 12.10 "Quantal Quetzal" will include almost all core components of GNOME 3.6, including Clutter. Up to now, Clutter has been missing from the default install which had forced the Ubuntu developers to include Totem 3.0 instead of 3.4 because the newer version depends on Clutter."

Comments (16 posted)

Page editor: Rebecca Sobol
Next page: Development>>

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds