Debian Leaders: We Need to Release More Often 460
daria42 writes "The lack of a new stable release of Debian GNU/Linux since July 2002 is fuelling the campaigns of many candidates for the project's Debian Project Leader role, with many pushing for a shorter and more stable release cycle to stop Linux users heading for greener and more updated pastures."
Re:This is comical.. (Score:2, Informative)
Re:If it's stable, it doesn't need to be updatedOf (Score:5, Informative)
Re:Duh... (Score:5, Informative)
Check it out - I'm certain that they'd like the help of a high profile advocate like Bruce Perens.
Soko
Re:Duh... (Score:5, Informative)
Bruce
Re:If it's stable, it doesn't need to be updatedOf (Score:5, Informative)
Speaking of which... *tap* *tap* is this thing turned on? Is anyone from the Debian security team listening? I've got a security issue here... I've e-mailed vendor-sec (3 weeks ago)... I've e-mailed debian-security-private directly (1.5 weeks ago)... are you guys planning on responding some time this month?
(Yes, I'm entirely serious. Slashdot isn't my preferred channel for communicating with other security teams, but the usual mechanisms seems to have failed, and I figure that there must be at least a few Debian people reading this story.)
Re:This is comical.. (Score:2, Informative)
Unstable - changes often
for any slow people out there. English, anyone?
Re:If it's stable, it doesn't need to be updatedOf (Score:3, Informative)
A notable problem with using "spinoff" distributions is package compatibility. Can I install any
This is a problem with rpm-based distributions; I don't know if apt handles it in a smarter way than rpm, but I've been burned by it and I'm hesitant to try and see. While on the surface everything may seem to function properly, you never know when doing something seemingly innocent like installing or upgrading a package can open up a huge can of worms. I know; I tried installing some packages from my Mandrake 8.2 CDs on a Red Hat system. The first couple worked without any problems, but I tried installing another package that happened to mess with some other file that was already on the system, and it broke several other seemingly unrelated programs.
Re:well.. (Score:2, Informative)
You're probably refering to d-i which does have snapshots which get updated every now and then, but it itself is updated all the time.
Re:If it's stable, it doesn't need to be updatedOf (Score:5, Informative)
-Leigh
Re:no shit, einstien! (Score:3, Informative)
If you're willing to switch to a different OS altogether, try FreeBSD. FreeBSD has a Package and Ports system. Packages are pre-compiled binaries that can be fetched and installed, and Ports is a way of installing software through source.
To install Firefox, for example, you can type pkg_add -r firefox, and it would fetch a Firefox binary from the FreeBSD servers and install it from your system. If you prefer to compile Firefox, just cd to /usr/ports/www/firefox and type make install clean. It would automatically fetch the latest Firefox sources and compile them. Ports also resolves dependencies too; if GTK 2.4 or later isn't installed on the system (which Firefox requires), it will also fetch and compile the latest GTK if it isn't installed on the system.
It is also pretty easy to upgrade all of your packages and ports, too.
There are three ways that you can get FreeBSD. Every 5-6 months there is a FreeBSD release (FreeBSD-RELEASE). For example, FreeBSD 5.3 came out last November, and a FreeBSD 5.4 release is slated for April. However, if you want a more upgraded version and track development, there are two directions you can go: FreeBSD-CURRENT and FreeBSD-STABLE. CURRENT is the development branch that adds and tests new features, while STABLE includes the finished features, ready for one of the RELEASES.
You can find out more about FreeBSD here [freebsd.org]. It has many of the features that you like in Debian, except updated much more often. Only thing to tell you is that FreeBSD isn't Linux; there are some key differences between the two operating systems that you should be aware of.
Re:Duh... (Score:5, Informative)
Historicaly, I am the author of Debian's fundamental policy document and did a lot of the early work on their system.
I've paid my dues a few times over.
Bruce
Re:Duh... (Score:5, Informative)
When comparing Ubuntu with other distributions than Debian, things are a bit different. One of the selling points for Ubuntu for me is that it's developed by a community and has a central package repository. It's been a while since I used a non-Debian distro, so I'm sure much of this has changed, but when I used Red Hat and Mandrake, there was either nothing that compared, or it wasn't visible enough. Assuming that other distros have that now, there's the deb vs. rpm issue depending on which one you prefer. The main issue is that you're never considered a second class citizen in Ubuntu. The other distros have commercial versions with special software and updates you don't have access to. With Ubuntu, everything is free, and they've made a commitment to always remain free.
Re:this just in... (Score:4, Informative)
The actual blocker for the past 6 months or so has been the testing-security support. Before that, it was the fact that we didn't have a working installer.
Re:this just in... (Score:5, Informative)
After potato was released, Anthony Towns implemented testing in an attempt to keep testing in a releaseable state always, so releases could occur more rapidly. That helped, but still didn't really fix the problem.
After woody was released, security support and the installer were serious problems that had stalled the release of woody for quite some time, so more effort was placed into those areas to create a working installer along with a decent security infrastructure. That has helped as well. However, it took quite a while for those to be implemented.
Now that sarge is on the verge of being released, people are analyzing the situation again to try to figure out what else should be done to fix the problem. The Vancouver Prospectus [debian.org] is an attempt to solve what have been identified as the problems for etch.
No, as you can see above, specific things have been attempted to solve the problem. They haven't succeeded, clearly, but it's not for lack of trying them. Distributions based on Debian are rather easy to make, frankly, especially if you're going to standardize on a specific set of packages and only support them. It helps as well if you can throw money at the problem and hire people to work on specific problems. Point in fact, none of the not-for-profit Debian based distributions have every actually released a stable distribution and suported the entire stable distribution for a whole product life cycle. They have different goals for the releases that they make than Debian does, which is quite acceptable for them. [Nothing is stoping anyone from taking a specific version of testing, calling it "stable" and supporting it. The fact that no one has should tell you something.]
Re:no shit, einstien! (Score:2, Informative)
I'll call bullshit on that.
Portage has great potential, but it's far from usable yet. Right now, after the first time you've done an 'emerge sync' (put simply, to update the ebuild list), installing any program is likely to result in portage downloading a brand-new kernel, even if you've got 20 different versions installed.
XMMS might be a good example. It (optionally) depends on alsa, and alsa requires the kernel source to compile it's modules. Well guess what? Your installed version of alsa is no longer the latest version available, so it has to be installed again, and your kernel source is no longer the latest either, so that is going to be downloaded and installed to.
This is a basic example. If you want to update one program that depends on gnome/kde libs, good luck, because the latest version of EVERYTHING is going to be downloaded, compiled, and installed. When you come back a day later, it will still be compiling, and filling up your hard drive, unless you are very carful and manually resolve these conflicts.
It's incredibly infuriating. It can be worked-around by manually editing the config files of each ebuild you want to install (and they aren't just simple little text files, either.) but in my opinion, compiling a handful of packages from source in the first place, is infinitely easier.
In case anyone is wondering, I've gone back to slackware after my failed 1+ year experiment with Gentoo.
Re:no shit, einstien! (Score:3, Informative)
Maybe a bit too often... (Score:3, Informative)
I would prefer something in between stable and testing, updated reasonably often with new packages (and features) and also have security releases in between as required.
Re:Except... (Score:2, Informative)
> date. stability is just well-tested, well-written code.
One thing to note is Debian's stable is meant to be not just rock-solid, but also "unchanging" stable. Both meanings of the word apply.
Meaning if you install a debian stable, it absolutely positively will not change, except for security bug fixes. It'll be the same system now, tomorrow, in six weeks, and in six months. You won't get a feature change on a debian stable system that messes with your server that may very well RELY on those features acting as they do.
Unfortunately having it stretched out to "unchanging for 3 years" is far too long. I'd like to see 18 months absolute maximum.
pinning (Score:2, Informative)
i also have a long list of external package repositories from apt-get.org. some of my systems also track ubuntu packages as well. i run ubuntu's Xorg package set on my laptop (better acceleration, maybe one day working Xorg Suspend-To-Ram on my ancient ATI mobility ). it works perfectly transparently, including xcompmgr & all.
the nice thing about debian is it lets you mix and match very easily while resolving all dependencies very nicely & very cleanly. also, you can set up your own repository very easily to take a sample collection of packages from kingdom-come and mirror it so it looks like a somewhat cohesive single repository. with apt-build coming along nicely, you can even cleanly and efficiently maintain your own patched versions of packages as they evolve, making it easier to recompile all your programs for Heimdal kerberos instead of MIT, for classic example.
who gives a rat about stable? just pin what you need. debian distro is really about empowering the user to whatever ends with the most direct simplicity. distros like ubuntu are there for those who just want a single clean complete desktop distro.
Myren
Better terminology needed (Score:2, Informative)
All servers I install are Debian and initially I used stable but now I use testing and have not had a single problem.
For servers, Debian's great. For desktop, it's still great except that you use Knoppix or Ubuntu instead which take care of providing the latest and greatest package versions. Underneath they're still good old rock-solid Debian!
Re:Duh... (Score:5, Informative)
Has recent packages (Woody doesn't)
Provides security upgrades (Sarge doesn't)
Is somewhat stable (I believe that Warty is stabler than Sid)
Many packages in Sarge are newer than their counterpart in Warty, and similar Sid has newer packages than Hoary. However these differences are small and unimportant.
Ubuntu has focused on a subset of the Debian archive. The packages in this subset are stable and work well. Furthermore Ubuntu has a "universe" archive that contains most of the packages in Sid. Some of the universe packages are uninstallable due to missing files. This can be bad if you are very dependent on a specific program.
Re:well.. (Score:3, Informative)
Re:Even Slackware.... (Score:4, Informative)
Re:If it's stable, it doesn't need to be updatedOf (Score:3, Informative)
Actually...Yes. Yes you can
In fact the system I'm writing this on is Ubuntu Warty and I have the Debian Sarge repositories loaded in my sources list. I've got quite a few Debian packages loaded on my system with no breakage whatsoever. I've heard people refer to this type of setup as "Debuntian".
I wouldn't do anything stupid like apt-get upgrade (I comment out the Debian stuff for that) but for installing specific packages you're pretty safe.
That wouldn't be really true... (Score:1, Informative)
Re:Even Slackware.... (Score:3, Informative)
There's nothing wrong with the Slackware package management. It doesn't have dependencies; that is by design. Otherwise it's not too different from anything else, except Gentoo.
15781 packages in sid-main-binary-i386 (Score:3, Informative)
We're listening .. (Score:2, Informative)
Although unless you could post a subject, or the mail account you mailed from it'd be hard to tell.
There are literally hundreds of messages going to the security@debian.org alias - and vendor sec also gets a lot of spam. This is one reason why sometimes I've lost things.
Of course that's likely not to be what's happened to yours, maybe it just got queued up behind all the other things that we're working on.
Does that help?
Feel free to ping me with another copy if you like.. Actually forget I said that, I've just found your mail and I've personally not responded because of the lack of details - we already publish our private keys on our webpage so asking for them again is extra work when we've got lots to do.
Vendor-sec / Debian can do lots of things your particular case you might think of a more appropriate person to pass it onto - obviously I don't wanna give details here.. Grr.