Weekly Edition
Return to the Distributions pageRecent Features
| |||||||||||||
Stable distributions and unstable softwareSome projects evolve quickly, with rapid release cycles that often leave older major versions behind. That may work just fine for users who are getting the code directly from the project, but it can be problematic for users getting the code from distributions. The problem becomes more acute when security updates are wrapped up inside releases for new features and other bug fixes. The tension between stability and the latest and greatest version was discussed in a recent debian-devel thread regarding WordPress, but the problem goes beyond just Debian—or WordPress. The discussion started from a bug report filed by Bernd Zeimetz entitled "wordpress: no sane way for security updates in stable releases". He was reacting to a recent wordpress security update that upgraded Debian's wordpress package (based on 3.0.5) to the latest upstream version (3.3.2) because "specific fixes are usually not identified", which makes it difficult or impossible to backport the fixes. The update announcement goes on to warn users that compatibility (especially for plugins or themes that have been installed) may be impacted by the update. That's not generally the experience that Debian users expect. As Zeimetz put it:
Being forced to upgrade to a new major version by a stable security support is
nothing we should force our users to. Debian stable is known for (usually)
painfree updates and bugfixes only, not for shipping completely new versions
with a forced migration.
His suggestion was to leave WordPress out of the upcoming "Wheezy" (7.0) release "until upstream handles such issues in a sane way". It's not the first time that idea has been raised. Back in 2007, Moritz Muehlenhoff argued that "Etch" (Debian 4.0) should not ship WordPress due to its security track record. That suggestion was overridden by a vote of the technical committee. So far, at least, it doesn't seem like Zeimetz's bug (which was closed by Muehlenhoff) is headed toward the technical committee, but it did bring up some interesting discussion. The general consensus seemed to be that WordPress (and other web-oriented applications and frameworks) just move too fast to fit in well with the Debian stable model. Each new release of WordPress likely has some security fixes, Russell Coker said, that are undocumented, so the safest approach is to always update to the newest release. That led Jon Dowland to wonder what value Debian is providing by packaging WordPress if there are no stability guarantees. Several people suggested that it does provide for an easy way to install and upgrade the package, though it is a bit unclear how many people actually do things that way. In the thread, several users said that they install directly from upstream, rather than using the packages, for a number of reasons. There are numerous plugins and themes for WordPress, many of which are not packaged for Debian for licensing or other reasons, and that typically require the latest version to function. In addition, the Debian package is not really targeted at multi-blog installations. For example, Russ Allbery described the reasons that Stanford University installs from upstream; others concurred with that assessment. Other distributions have essentially been forced down the same path that the recent Debian update took. Fedora, for example, also updated to the latest WordPress in order to fix a number of security problems. Fedora users are probably more used to living on (or close to) the bleeding edge than Debian stable users are. But maintaining a package that upstream has left far behind for 2-3 years, as Debian tries to do, is likely to be difficult. Evidently, WordPress doesn't have a lot of interest in declaring a stable release to maintain over that kind of time frame. That's not a surprise, nor a knock on WordPress, as the web moves very quickly and the project can make its own decisions about how to support its users. That said, it would certainly help distributions and others to give better information about security fixes so that backports could potentially be made. While the WordPress security track record may have gotten better over the years—that depends on whom you listen to— some of the same problems that we wrote about in 2009 persist. The problem is not limited to WordPress, of course, as there are lots of projects, particularly in the web space, that are rapidly updating and leaving their older major versions behind. Firefox is another example of a project that generally forces distributions to upgrade to the latest version due to its rapid release cycle (though the extended support release may blunt the impact for some distributions). Other content management systems, web browsers, frameworks, and so on, have had similar situations that required a major version upgrade for security fixes. It is still an open question how Linux distributions should handle packaging these kinds of projects. One possible solution for Debian is just to document the problem as is done for browsers, which was suggested by Martin Bagge. Essentially, Debian alerts users that some browsers may not get updates because of the lack of a long-term maintenance branch. This is yet another example of the difficulty in maintaining a stable base using an ever-shifting array of parts. Distributions are dependent on the upstream projects, but those projects may have an entirely different focus. For distributions like Fedora that turn over every year or so, it's less of an issue, but distributions like Debian (or Ubuntu LTS) are going to have to carefully decide which packages they can maintain—and how they maintain them—over the long haul. In the future, it may make sense to explore other options. Perhaps distributions could concentrate on the core "plumbing" of the system (libraries, desktops, development tools, utilities, etc.) while providing a means for users to easily install applications (especially fast moving ones) from upstream. That is the model that the Google's Play store follows for Android, and Ubuntu is experimenting with that to some extent in its Ubuntu Software Center. With cooperation of the upstream projects, some kind of middle ground might be found between using the package manager and installing upstream code with an entirely different mechanism. There are lots of things to like about the Linux distribution model, but that doesn't mean that there is no room for improvement. (Log in to post comments)
Time for rolling release focus? Posted May 17, 2012 2:13 UTC (Thu) by lemmings (subscriber, #53618) [Link]
I personally would like to see more of a move towards rolling release distributions becoming the norm for desktops.
A rolling release ties in with the release early, release often philosophy and would provide all the benefits to development that that entails. The biggest challenge is ensuring stability and a hassle free end user experience as the software is constantly upgraded.
It even makes sense for many of the components on a server system where there is low risk of stability/compatibility problems with newer versions.
Time for rolling release focus? Posted May 17, 2012 2:33 UTC (Thu) by nickbp (subscriber, #63605) [Link]
You can more or less get this now with Debian testing.
Time for rolling release focus? Posted May 17, 2012 3:43 UTC (Thu) by lemmings (subscriber, #53618) [Link] Sort of. Continuous rolling unstable/testing distributions aren't what I had in mind so much. Like Fedora Rawhide, they tend to have moments of being frozen for release, breakage, and a mix of upstream stable/development versions. I'm more interested in continuous rolling stable versions of upstream packages with little delay. Ideally, this would be coupled with the ability to easily switch to a different upstream branch (e.g. development, SCS tag, or SCS head) on an individual package basis to allow the user to participate with testing/development on what they have time/interest in. I think Foresight Linux implements something like this. I'll have to try it out one day, however I would love to see the mainstream distributions migrate to this sort of model.
Time for rolling release focus? Posted May 17, 2012 4:45 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]
I don't disagree with your points but these days Rawhide is never frozen. When a freeze is about to happen, a new development branch is created and Rawhide just keep flowing.
Time for rolling release focus? Posted May 17, 2012 4:59 UTC (Thu) by lemmings (subscriber, #53618) [Link]
Thanks for the link. I didn't realise Rawhide had changed that. I may have to try it out again.
Rawhide Posted May 17, 2012 13:37 UTC (Thu) by corbet (editor, #1) [Link] Yes and no... In truth, Rawhide often runs behind the frozen release for the latest updates; many Fedora developers have made it clear that Rawhide is a relatively low priority. Rawhide can be a good option—I run it—but sometimes I think that Fedora has bitten off a bit more than it can chew by trying to develop Rawhide and the next release simultaneously.
Rawhide Posted May 17, 2012 14:42 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
I don't think anyone would really describe the state of rawhide post-freeze as "development" - it ends up as a staging ground for things that can't be landed in the branched release, but there's certainly no expectation that it's a coherent release during that time. Whether there *should* be is a great question, and I'd agree that it's probably not very clear to an external observer what the expected behaviour of rawhide is at any given point in time.
Time for rolling release focus? Posted May 17, 2012 13:09 UTC (Thu) by tsdgeos (subscriber, #69685) [Link]
Archlinux does what you want as far as i understand
Time for rolling release focus? Posted May 18, 2012 17:06 UTC (Fri) by vonbrand (subscriber, #4458) [Link] OK, so you want stable (== no API change at all) while bundling the latest versions of everything. I'd like that too, and a pony while we are at it.
Time for rolling release focus? Posted May 18, 2012 17:22 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
Stable API doesn't mean 'no change at all'. WinAPI gets new functionality all the time without breaking old functionality. glibc and the kernel do the same.
Time for rolling release focus? Posted May 21, 2012 6:58 UTC (Mon) by filipjoelsson (subscriber, #2622) [Link]
Sounds like Gentoo stable to me!</sarcasm>
Seiously, though, that's the main reaon I still use Gentoo. Though claming there's no API shift is a bit of a stretch. :-)
Time for rolling release focus? (for such packages) Posted May 17, 2012 16:28 UTC (Thu) by perennialmind (subscriber, #45817) [Link] It's much nicer when you can install the individual package frombackports into a stable environment. Running testing wholesale isn't an option for most folks and transplanting packages directly from testing is problematic. (I'm not saying it can't be done well, but so far I've only managed to do so poorly). One often runs into the odd package that needs to be updated on a different schedule. Typically it's a desire for a newer version, but sometimes it's a package that is only available in the upstream release. For projects which push updates like Wordpress, Chrome, and Firefox, why not bar them from stable, but let them live in backports?
Time for rolling release focus? Posted May 17, 2012 15:11 UTC (Thu) by bkw1a (subscriber, #4101) [Link]
I agree, to some extent, that distributions should move more toward "versionless" rolling releases, but the distributors will need to continue to test each update to make sure that it doesn't break things. That may be a bigger burden with a rolling release than a traditional stable release.
Distributions can't count on testing done exclusively by upstream developers. Interactions with the distribution's particular mix of other software and configuration options may reveal surprises that the upstream developers didn't anticipate.
Also, rolling releases won't help people running things like WordPress, which have lots of third-party add-ons. If you're running a web site that depends on one or more of these add-ons, you may find that a rolling release frequently breaks your site, because the latest WordPress is incompatible with the installed add-ons.
I really think that if projects like WordPress are serious about supporting production environments, they need to provide a "long term support" version similar to the Firefox Extended Support Release.
Time for rolling release focus? Posted May 18, 2012 4:33 UTC (Fri) by jcm (subscriber, #18262) [Link]
Dear goodness no. Please no :)
By all means, have whatever just-built bleeding edge you want in a testing distribution, but Linux distros in general are already too keen to move quickly as it is. I run a popular Enterprise distro on a number of machines, and that gives me the comforting warm and fuzzies, but it's not about me. You won't get more users adopting Linux by pushing for a moving target. You'll get more users by offering a tested and validated base and that doesn't come by just rebuilding whatever was released this afternoon.
Jon.
Time for rolling release focus? Posted May 18, 2012 5:28 UTC (Fri) by lemmings (subscriber, #53618) [Link] I also run a number of servers and appreciate the enterprise distro model in that it saves me time from not having to deal with upgrades breaking things. Unfortunately it does cause problems though as the software versions become obsolete causing development pain due to missing features or old bugs. The distribution eventually reaches end of life and then the OS major version upgrade becomes a huge exercise in planning. This is just a cost many server admins have to wear to keep mission critical services from breaking. The desktop is a different situation though. The quality of the experience is what counts rather than mission critical availability of services. I would argue that the free software community would be better able to improve the end user experience by closing the loop between the developers and the end users and feedback in a fashion similar to OODA loop. Right now as an end user on my Fedora desktop, it is a major PITA to effectively deal with software bugs. If I hit a bug, I have no idea if it has already been fixed in a newer stable version. Searching bug trackers can take quite a while. It may already have been fixed and I have to report to the distribution vendor to get the newer version available. This wastes my time and the distributions. Even if the bug isn't fixed upstream, it's going to take a while to download and install the upstream version to test it. And if I figure it out and either fix it or get the developer to fix it, then there is still the delay in getting the fixed version to end users. End result is that there is a lot of double handling and back porting and the rate of development (from the end user perspective) is really slowed down. If quality of individual bits of software can be decent enough, then I think the Linux kernel model of continuous stable releases is the way to go as a way to save our limited developer time and improve distributions. I hate to think how much effort the free software community must put into triaging bug reports, coordinating fixes, and back porting patches due to everything that sits between the end user and the developers. Effort that could be better spent improving the free software ecosystem...
Stable distributions and unstable software Posted May 17, 2012 13:49 UTC (Thu) by scripter (subscriber, #2654) [Link] Perhaps distributions could concentrate on the core "plumbing" of the system ... while providing a means for users to easily install applications (especially fast moving ones) from upstream. That is the model that the Google's Play store follows for Android.... With cooperation of the upstream projects, some kind of middle ground might be found between using the package manager and installing upstream code with an entirely different mechanism.I like the vision of getting applications from upstream. It's quite nice to get regular Chrome updates from Google on Fedora 14, even though the rest of the distribution is no longer maintained (Fedora 14 is full of Gnome 2 goodness, although Gnome 3 is inching closer to being usable in Fedora 17 beta).
Stable distributions and unstable software Posted May 17, 2012 19:20 UTC (Thu) by tzafrir (subscriber, #11501) [Link]
This most likely means you'll have multiple, conflicting and badly-package applications.
Not to mention that most of them will only support 1-3 major distribution on i386/64 .
Stable distributions and unstable software Posted May 18, 2012 20:33 UTC (Fri) by branden (subscriber, #7029) [Link]
"I like the vision of getting applications from upstream."
Be aware that folks like Ben Laurie will waste no time in advertising OpenSSL as an "application".
Stable distributions and unstable software Posted May 17, 2012 14:19 UTC (Thu) by debacle (subscriber, #7114) [Link]
> Perhaps distributions could concentrate on the core "plumbing" of the system (libraries, desktops, development tools, utilities, etc.) while providing a means for users to easily install applications (especially fast moving ones) from upstream.
I really hope, that distributions will not go this way. The thing I learned to love in Linux distributions (e.g. Debian, which I happen to work with) is not only, that I can install the complete system from one source. I also can create my own repository for my company (for Debian based distros using reprepro). I can be sure, that all packages conform to the distributions policy. I can be sure, that the FTP masters did check licensing issues before the package entered Debian. Furthermore, at least all bugs related to packaging, installing, upgrading etc. I can enter in a single bug reporting system.
Of course, Linux distributions should make it as easy and convenient as possible for users to install whatever software they like. But this should not be an excuse for not packaging useful applications.
I happen to use an Android telephone since some time. How I miss the convenience and ease-of-use of e.g. Debians package management on my phone. So much suffering, so many tears!
There must be a better way to deal with such problems. In Debian, there is "testing", which is a good choice for personal desktop systems. We have "backports" with many updated server applications. And there is "volatile" for packages, that need frequent updates e.g. virus scanners. This is probably not yet sufficient, but the way to go.
Stable distributions and unstable software Posted May 18, 2012 7:18 UTC (Fri) by Cato (subscriber, #7643) [Link]
There are quite a lot of reasons why an app store model (hopefully with more user control e.g. disable sandbox or allow third party app stores) is a good way to go for Linux, in my view - much easier installation of apps without cascading updates of the core, easier to install third party apps, etc. See https://lwn.net/Articles/489689/ for an exhaustive discussion.
Stable distributions and unstable software Posted May 18, 2012 9:05 UTC (Fri) by debacle (subscriber, #7114) [Link]
I am aware of the discussion and the arguments of the app store model proponents. Excuse me, I am not convinced.
Stable distributions and unstable software Posted May 18, 2012 13:09 UTC (Fri) by gdiffey (subscriber, #65017) [Link] So this is something that has come up recently in local meetups there was a proposal that installing primary development tools in parallel to the distribution package There was a somewhat interesting statement of the problem from a web developer pov in the slide deck pdf or the gist
The fast-moving web Posted May 22, 2012 19:22 UTC (Tue) by robbe (guest, #16131) [Link]
I may be seriously out of it, but is the web really evolving that fast? To me it seems more like release-race fanned by Chrome and Firefox. And the press releases are mostly about enhanced speed.
Real web sites care about stone age browsers like IE6 on XP. Or we would use SNI everywhere, and youtube would get off flash today.
I also see a lot of intranet web applications working solely with *old* browser versions. My favourite is one supporting Firefox 4 and 5 on Linux.
Funny that Jake talks about the Android model, where the browser is actually part of the stable base -- unlike desktop distributions, where it presumably will belong to the unstable/rolling department.
The fast-moving web Posted May 22, 2012 20:22 UTC (Tue) by raven667 (subscriber, #5198) [Link]
> Real web sites care about stone age browsers like IE6 on XP
I don't think thats true anymore. Many high-profile sites have dropped support for IE6, I think IE6 support is becoming rare for Internet accessible applications, there are still internal line of business applications from the IE6-only era in some organizations though.
Designers are pretty jazzed about the quick release cycle and auto-upgrades because the browsers are converging on standards more then they are diverging and you can more rely on the lowest-common-denominator user having a fairly recent and robust set of working standard features. Also the quick release cycle drives smaller, more incremental changes rather than breakage due to large feature changes between releases.
The fast-moving web Posted May 23, 2012 12:10 UTC (Wed) by ekj (guest, #1524) [Link]
Me neither. But we -do- still care about IE7, even though we wish we wouldn't have to.
We provide the technical part of several large websites, many of which are used by government-organizations which can be *very* slow in upgrading.
It'd be jolly nice if we could drop support for browsers which are no longer supported by the vendor, though.
Stable distributions and unstable software Posted Jun 1, 2012 0:44 UTC (Fri) by Baylink (subscriber, #755) [Link]
> Some projects evolve quickly, with rapid release cycles that often leave older major versions behind
Oh, you mean like Firefox versions 8,9,10,11,12 and 13?
(No, I am *not* going to stop harping on this...)
|
|||||||||||||