Debian Etch and Ubuntu Feisty: a comparison

[Posted August 11, 2009 by corbet]

From:		Anthony Towns <aj-AT-erisian.com.au>
To:		debian-project-AT-lists.debian.org
Subject:		Synchronising with Ubuntu
Date:		Tue, 11 Aug 2009 19:42:24 +1000

On Mon, Aug 03, 2009 at 03:55:16PM +0000, Anthony Towns wrote:
> 	etch:  2006/12 - 2007/04 (decent hit for feisty's import freeze)
> 	lenny: 2008/07 - 2009/02 (decent hit for jaunty's import freeze)
> 
> dapper and hardy are the two Ubuntu LTS releases so far, dapper reached
> its desktop end-of-life a couple of weeks ago. feisty hit its end-of-life
> in October last year. I'm just extrapolating from karmic's release
> schedule; I haven't checked the schedules weren't different historically.
> 
> Based on that, comparing universe packages in etch-vs-feisty and
> lenny-vs-jaunty for version differences, and any differences in security
> updates could be interesting, actually.

Turns out it kind-of is, too.

First, basics:

    etch: froze in December 2006, released in April 2007; still supported
    feisty: DebianImportFreeze in Dec 2006, UpstreamVersionFreeze in Feb 2007,
        released in April 2007; support ended October 2008

Comparison between etch/main and feisty/main+universe by source:

    6874 exact same source
     132 only in Debian
    2273 only in Ubuntu

     600 newer upstream version in Debian
    1538 newer upstream version in Ubuntu

    1079 Ubuntu has Vebian bersion with ubuntuXX patch

As at today (2009/08/11) etch/feisty security support compare as follows:

      63 packages with security updates in both Debian and Ubuntu (11
         same version, 8 where Debian has new upstram, 28 where Ubuntu has
         new upstream, 16 where Ubuntu applied patches to Debian version)

       5 updates in Debian to Debian only packages
       7 updates in Ubuntu to Ubuntu only packages

      31 updates in Debian to packages with the exact same source in Ubuntu
       6 updates in Ubuntu to packages with the exact same source in Debian (!)

      42 packages updated in Debian but not Ubuntu (6 where Debian has
         newer upstream, 30 where Ubuntu has newer upstream, and 6 with
         ubuntuXX patches)

      15 packages updated in Ubuntu but not Debian (4 where Debian has
         newer upstream, 6 where Ubuntu has newer upstream, and 5 with
         ubuntuXX patches)

Of the 31 updates Ubuntu's missing, only one is from feisty/main,
and that lcms 1.15-1.1+etch3, which was DSA-1684-1 (etch1), DSA-1745-1
(etch2) and DSA-1745-2 (etch3), which were released on Dec 10, 2008,
March 20, 2009 and March 25, 2009; well after feisty's end of life in
October 2008.

The 6 updates it seems like should be a no-brainer for Debian to pull are:

    clamcour 0.2.2-1.2+feisty2 universe/mail
    dansguardian 2.8.0.6-antivirus-6.4.4.1-4build1~feisty2 universe/web
    denyhosts 2.6-1ubuntu0.1 universe/net
    dircproxy 1.0.5-5ubuntu0.1 universe/net
    dokuwiki 0.0.20061106-6ubuntu0.1 universe/web
    jasper 1.701.0-2ubuntu0.7.04 libs

The only USN I can find covering these is for jasper, namely USN-501-1.

In any event, seems like there's more room for collaboration there at
first glance.

I've half done the same analysis for lenny/jaunty; but apparently it's time
for pizza.

Cheers,
aj

to post comments

Debian Etch and Ubuntu Feisty: a comparison

Posted Aug 11, 2009 20:36 UTC (Tue) by sbergman27 (guest, #10767) [Link] (9 responses)

We've all heard the "unfounded" criticisms: There are 400 Linux distributions, all incompatible with each other. Such duplication of effort should be criminal! etc. etc. etc.

And we naturally dismiss it. Because "obviously" all that effort is *not* duplicated.

And yet... the portion of the effort which *is* duplicated is, upon closer inspection, substantial. There is no reason, in principle, that is *has* to be. But in practice, it has been.

Closer collaboration is an obvious way to eliminate much of that duplication of effort. And if the idea had come from anywhere other than the BDFL of a distro which has enjoyed such jealousy-inducing success as has <this space intentionally left blank>, it probably would be looked to as the next big thing for Linux.

Ignore it at your own peril.

Debian Etch and Ubuntu Feisty: a comparison

Posted Aug 11, 2009 21:37 UTC (Tue) by ajross (guest, #4563) [Link] (8 responses)

I'm not sure I follow the logic. If Ubuntu uses an upstream universe package from Debian, and doesn't modify it, how are they wasting effort? The point to using a Debian base was *always* to reduce duplicated effort.

The argument against the fork is that Debian doesn't automatically benefit from Ubuntu-specific changes, not that Ubuntu is wasting effort by (not) duplicating stuff Debian already did.

Debian Etch and Ubuntu Feisty: a comparison

Posted Aug 11, 2009 22:07 UTC (Tue) by sbergman27 (guest, #10767) [Link] (7 responses)

> If Ubuntu uses an upstream universe package from Debian, and doesn't modify it, how are they wasting effort?

Why Universe? Ubuntu is based on Testing, to the extent that anything can said to have been based upon a repo which is constantly in flux.

If Debian then modifies the package to fix a security hole, Ubuntu misses out. If Ubuntu modifies it to fix a security hole, Debian misses out. If Debian and Ubuntu both modify to fix a security hole, there is duplicated effort.

Using Debian as a base reduced duplicated effort *big time*. But there is *much* room for improvement.

And the story does not end on the release date. For the years that the package is supported by the distro, the security updates will be require duplicated effort. Do we really want one distro to release with version 2.1.3.4 and the other with 2.1.3.3 and duplicate the effort? Or would we prefer that both release with the same version and share the load?

Debian Etch and Ubuntu Feisty: a comparison

Posted Aug 12, 2009 2:21 UTC (Wed) by oblio (guest, #33465) [Link] (6 responses)

You forget the human factor.

What if I (Ubuntu packager):
a) don't like the Debian packager
b) can't convince the Debian packager that the update is important enough to warrant a package update
c) the update introduces a regression (which I consider minor, but he does not)
d) can't get a hold on the Debian packager, because he's away in Sri Lanka on a vacation
...

I believe 99% of the duplicate work done by distros is because of the "human factor". Check the mission statements/descriptions/history of most of the distributions. They start something like: "we were dissatisfied with the existing distributions" and continue "and we decided to make our own" instead of "we decided to join Debian/whatever".

Debian Etch and Ubuntu Feisty: a comparison

Posted Aug 12, 2009 3:06 UTC (Wed) by jamesh (guest, #1159) [Link] (5 responses)

I've only done a little Ubuntu packaging, but have never really had a problem communicating with upstream Debian maintainers.

I wouldn't call all the packaging differences between the two distributions problems, since in many cases the best you can do is aim for eventual consistency.

For example, Debian might be frozen to the point where it won't accept certain package changes, but those changes are required by Ubuntu. That might show up as a difference in the two releases, but the change may get merged after the freeze is lifted. The same can happen in the other direction.

Debian Etch and Ubuntu Feisty: a comparison

Posted Aug 12, 2009 5:14 UTC (Wed) by drag (guest, #31333) [Link] (4 responses)

Ideally what should happen is that Ubuntu and Debian remain compatible enough that they can share the same repositories.

If Ubuntu is based on Testing or is a snapshot of Debian unstable then it should be fine not to actually provide any software other then what is in Ubuntu main and then just have people pull directly from Debian repositories.

If Debian and Ubuntu get their 'stable' releases syncronized then that should make it even more possible.

----------------------

It's difficult situation both ways.

Ubuntu was created, essentially, as a response of Debian's inability to get software out on time and create a user-friendly default desktop install. (If this is not true then Ubuntu would of never reached the level of popularity that is today.. people would simply be using Debian instead)

I remember back in the day when a bunch of companies like Progeny and Xandros and all that tried to develop a "standard debian base" and all that so that they could share packages between them. But all those efforts failed because of Debian's failures and limitations. Debian was just unable to produce software releases on a dependable and timely manner.

If Debian developers could be made aware of the value and advantages to time based releases AND Ubuntu can gain the discipline in packaging to remain compatible with Debian then big benefits both ways can be realized.

That way Debian gains user-friendly desktop and Ubuntu gains credibility as a really useful OS in the business/server world. Debian's big advantage is the quality of packages and the amount of work that goes into making sure that everything is consistent, tested, and compatible. If, for example, your doing something big like setting up a Kerberos/LDAP system for Linux desktops then the packages provided by Debian will actually work for that, unlike most distros that don't get that stuff tested well or depend on proprietary products. It's obvious from the amount of details and little compatibility configurations and tools that people actually use Debian for that stuff. Ubuntu needs that sort of thing to be taken seriously as a desktop operating system for businesses.

-------------------------------------------

I do NOT see any reason, other then people's hangups and personal politics, why (with work and coordination) the Debian Tasksel that you won't be able to pick 'Ubuntu Desktop' as a installer option. I also think that instead of having the 'universe' and 'multiverse' users could just point at 'deb http://ftp.debian.org/' for their extra package mirrors.

I think that would be a wonderful thing to shoot for.

Debian Etch and Ubuntu Feisty: a comparison

Posted Aug 12, 2009 7:25 UTC (Wed) by mbanck (subscriber, #9035) [Link] (1 responses)

Ideally what should happen is that Ubuntu and Debian remain compatible enough that they can share the same repositories.

Remember that Ubuntu is only based on Debian (unstable, by the way) on the source-package level. They rebuild revery package against their own toolchain, which in general makes it unsuitable to be installed on a Debian system (and vice-versa).

Now that library dependencies are more fine-grained on the symbol level via dpkg-gensymbols, it might get easier to share binary packages (e.g. most C programs do not use features of glibc-2.8 or above, and will now only declare a Depends on, say, glibc-2.3.6), but that will have to be seen.

Probably another factor in wasted possibilities for collaboration was Launchpad: from the outside, it looked like Ubuntu developers (at least those employed by Canonical) were suggested to use Launchpad for things like packaging. On the other hand, Debian Developers could rarely be convinced to use Launchpad due to its non-freeness. Maybe this will change now as well, however there is still the somewhat incompatible choice of VCS (svn/git on the Debian side, bzr on the Ubuntu side).

Debian Etch and Ubuntu Feisty: a comparison

Posted Aug 12, 2009 14:56 UTC (Wed) by drag (guest, #31333) [Link]

> Remember that Ubuntu is only based on Debian (unstable, by the way) on the source-package level. They rebuild revery package against their own toolchain, which in general makes it unsuitable to be installed on a Debian system (and vice-versa).

I don't know how much truth is in that really. In what ways are the code generated by the toolchains incompatible?

For example I've installed Chrome and a few other programs from Ubuntu's PPA on Debian and that worked just fine.

I know that for Opera offers dozens and dozens different packages for different distros.... but if you look at what is in them they all use the same binaries and install the same libraries to the same locations. Checksums and everything matches. There are a only a few different files, mostly minor things to do with packaging and the only different binary that is supplied is one for very old versions of Ubuntu that have use a different GCC C++ ABI.

Is it really neccessary for every program to be built using the same exact versions of GCC and whatnot?

Debian Etch and Ubuntu Feisty: a comparison

Posted Aug 18, 2009 20:01 UTC (Tue) by oak (guest, #2786) [Link]

> Ideally what should happen is that Ubuntu and Debian remain compatible
> enough that they can share the same repositories.

Err... Even their essential packages set is different. Ubuntu has
declared python as essential. (essential = package to which other
packages may not declare a dependency unless a versioned dependency is
needed and without which other packages cannot be installed)

Debian Etch and Ubuntu Feisty: a comparison

Posted Aug 20, 2009 20:38 UTC (Thu) by jengelh (subscriber, #33263) [Link]

>Ubuntu was created, essentially, as a response of Debian's inability to get software out on time and create a user-friendly default desktop install. (If this is not true then Ubuntu would of never reached the level of popularity that is today.. people would simply be using Debian instead)

By that logic, I should be able to capture the entire U****u fanbase by merely slapping a 1024x768 GUI installer on top of OpenBSD (they already have timely releases)!