Slashdot Mirror
Debian Leaders: We Need to Release More Often
daria42 writes "The lack of a new stable release of Debian GNU/Linux since July 2002 is fuelling the campaigns of many candidates for the project's Debian Project Leader role, with many pushing for a shorter and more stable release cycle to stop Linux users heading for greener and more updated pastures."
July 2002 .. you've gotta be kidding me.. right ? Another Slasheditor typo ?
I thought Debian was an enthusiasts distro..
I would like to be the first to say "duh". Debian is old. Despite it being stable, it's often a good idea to have the newest programs to keep up with the newest technologies.
However, I do find that using a netinstall version of the "testing" release tends to keep up to date with most packages.
-------
Support Indy Music. Buy
I can see the need for keeping ahead of security bugs, but to change for change's sake is just silly.
I have no problem playing with aptitude from their latest unstable Sarge (it's great BTW), but it makes it very hard for me to recommend Debian on servers to customers when the latest stable release is eons old. Yes, I know there are ways around this... but let's face it, from a customer point of view it's an small image problem Debian has.
READY.
PRINT ""+-0
Debian was the first Linux distribution I ever downloaded, in the summer of 2003. I was on dial-up at the time (and didn't even have my own line, so I couldn't download 24/7), and I remember being worried that there'd be a new release by the time I was done downloading the first ISO. I mean, open-source software moves fast, right?
Should've relaxed.
I suppose an apt-get answer to yum,portage et-al seems appropriate in exchange for the debian written security patches that would only be included in the stable branch. They should focus on i686 binaries instead. Since such a small minority of debian users are still using 386's
debain testing allow you to update your system as packages become abalable with out having to wait for a full release
Bruce
Bruce Perens.
As a new Linux user, what I heard from all my friends was, "don't use Debian, use Mepis or Knoppix or Ubuntu." It seems to be the opinion of many that Debian is nice, but it's not worth using a plain version of Debian, because these other distros have built it into something better. At least, that's the impression. So it seems that Debian is losing "mindshare" among new Linux users to a degree.
Last stable release in 2002 - how can they possibly compete with Microsoft whose last desktop operating system release was in 2001 :)
It would be really nice if Stable were updated at least yearly. I'm willing to play with Unstable or Testing if it's for my own use only, but if it's for someone else then I may as well either use a heavily-package-based distro like RedHat or SuSE, or Slackware if I'm going to have to build a bunch by hand anyway.
I guess that it'd been awhile since I last installed Debian from scratch, I didn't know that it has been two years.
Do not look into laser with remaining eye.
Debian Leaders: We Need to Release More Often
This just in: the Catholic Church says the Earth is round.
In other news, George Broussard admits Duke Nukem Forever "is a little late".
Question- why did it take, oh, 3 years for them to finally come to terms with the fact that their iguana was turning into a dinosaur? It's like they've all been collectively in denial. I took one look at the list of versions in the stable branch when someone suggested I check out Debian. I laughed, and closed the window. Every time I've come across a Debian box, it was "put in by some weird guy who doesn't work here anymore". Debian users preach to me about stability, when I haven't had a linux box do something unexpected in quite some time. Debian's still stuck in the age of obsession with uptimes.
I understand the need for stability, but that means you put more effort into QA, not that you sit on your ass because what you've got works. I mean hell, some distros still ship 2.4; it's an embarrassment that companies like Redhat port BACK improvements made in 2.6 to their own versions of the 2.4 kernel, instead of finding and fixing problems in 2.6.
Please help metamoderate.
Ultimately, the people who like Debian will continue to use it; likewise Debian's goal should be keeping its customers satisfied rather than trying to sway people away from other distros.
I don't really care that it's not updated because apt is flexible enough to work around that. And if a package is _insanely outdated, usually a newer one is in Testing or Unstable. And as a last resource, it's not like Debian precludes you from compiling it myself.
While more frequent releases would be nice, I like it just the way it is. I feel as if I'm guaranteed that the packages will work together without problems (something I haven't encountered in certain other package management systems). And for the select few programs where the version is unacceptably old (like gaim), I just compile from source code.
If you say "here goes my karma" I will bite you!!!
...for a second, I thought that read "Lesbian Leaders".
And I, for one....
ahhh, never mind.
I think this is good news that some of the potential leadership in Debian has reconized this as a problem.
I've been a Debian fan for some time, but I find I am racking my newly built critical servers on RHEL3&4 just because so many of the Debian packages are 'stale'. In a lot of enviroments, running testing is unacceptable and using stable is to far out of date for the intended use of the machine. We are definatly in limbo as far as Debian installs.
I really hope they pull this together, without Debian the landscape changes dramatically for binary stable systems.
But, the biggest problem I can see is that by releasing early and often it creates a larger legacy code base that needs to be maintained but does not have the resources to do so. You cannot effectly update a server farm of hundreds to thousands of machines to a new version within a short legacy cycle, yet it is a huge burden to maintain the legacy code for any lengh of time.
Is up to date, even considering the head honcho's health problems.
There's no excuse for no Debian stable releases since 2002.
Maybe Bruce should base UserLinux on that.
--
BMO
Not to mention Gentoo.
But I'll wisely keep quiet so not to incur the wrath of Slashdot...
Try Ubuntu. They have a release cycle of 6 month and the next release due to april is Gnome / KDE. You can even get the preview release now.
Slashdot anagrams to "Sad Sloth"
...just looking at it, to be more of a "base platform" from which people build their own customised distros. This in fact might be an actual model for a future LinuxOS,(OSes in general I mean really) if no standard GNU/LinuxOS ever evolves, just make it incredibly easy to select what sort of computing experience you want, mash a few buttons, answer a few questions about hardware, whatever and etc, and your custom distro gets created, you then download it burn it and install it. People don't really "run" an OS, they want to "run" some applications. They want to just go do stuff with their computer, not really futz with it constantly. Well, I mean the 99% of the other people on the planet. You know, "them" guys.
Anyway, if you look at it that way, it's neither way behind the times or bleeding edge, it's just a big ole pile of apps and kernels that you have access to. Maybe they should just skip the different versions, let Apt sort it out when people go to build their own, make it a remasters dream system instead of trying to be a stock classic distro "OS". Do something different than what MS and Apple and Sun are doing. Make the personalised "your computer" be the primary focus, along with the "easy" part.
Debian developers basically have two options: either reign in the development cycle or rename "Debian Stable" to "Debian Obsolete". I've been a long-time Debian user, but now I too am looking for greener pastures. The question is where to? Gentoo? Fedora? Is there something that compares to apt-get?
___
If you think big enough, you'll never have to do it.
I can see the need for keeping ahead of security bugs...
Speaking of which... *tap* *tap* is this thing turned on? Is anyone from the Debian security team listening? I've got a security issue here... I've e-mailed vendor-sec (3 weeks ago)... I've e-mailed debian-security-private directly (1.5 weeks ago)... are you guys planning on responding some time this month?
(Yes, I'm entirely serious. Slashdot isn't my preferred channel for communicating with other security teams, but the usual mechanisms seems to have failed, and I figure that there must be at least a few Debian people reading this story.)
Tarsnap: Online backups for the truly paranoid
Debian was the one distro that I never really thought of having official releases. It has versions that are fluid with their packages:
Stable
Testing
Unstable
Each have their own rewards and risks, but the key to me, was that with the netinstall disks, they never went out of date. You never had a CD set full of six month old packages, you had your favorite debian versions latest, usually day old release, a download away.
The new installer is excellent, and with the lack of X based GUI, will still work with a minimal download.
Debian is great, but hey the packages come out too slow!!!
I changed to Gentoo because a lot of the new software took far too long to be released as a debian package. Sure, I could have just downloaded the software, make install, etc blah. But I wanted to manage my packages!
For this very reason I switched to Gentoo.
The only thing annoying about Gentoo is compiling time - which is still quicker than waiting for Debian packages to come out.
People aren't leaving Debian for greener pastures. They're leaving Debian for Debian derivatives. If the last three months on Distrowatch are any indication of how much each distrbution is being used, then Debian is the most important distro out there. Ubuntu is #1, Mepis is #3, and Debian itself is #6. The Debian project has obviously doing something right if some of the most popular distros choose to base themselves on it.
On the other hand, the fact that derivatives are necessary is a sign of Debian's shortcomings. I haven't used Mepis in over a year, but the last time I used it, it was basically Debian installable off of a live CD with easy to use configuration tools. That says that Debian proper is hard to install and lacks user friendly configuration tools. The former problem has been fixed, but I'm not sure the latter has been. Ubuntu is Debian with a shorter release cycle and paid developers to add polish. This shows that users obviously take issue with Debian's long release cycles, and once again, the administration tools. Anyone who is running the development version of Ubuntu right now knows how easy it is to keep things up to date. The newer software also takes advantage of advances on the Linux desktop, such as Project Utopia. I can plug in USB devices, and they just work. It's nice, and Debian proper misses out on things like that because of the age of its packages.
So who uses Debian stable? From the things I hear, it's people who want a long release cycle. Woody users have been getting security updates for however long it's been since the release. People like that. Ubuntu is supported for 18 months after a release, which is likely to be too short for some people. I don't see how Debian loses out from desktop (and some server) users using the derivatives. Ubuntu is the main derivative, and all its work goes back into Debian proper. When etch is getting ready for release, the job is going to be much easier to do, since Ubuntu has already done much of the work ahead. Sarge has been in some sort of a freeze for most of the time Ubuntu has been around, so they haven't been able to reap the benefits of Ubuntu's presence. People getting paid to work on Debian is a good thing, not something to be angry about, which is the sense I get from some posts on Planet Debian.
So if Debian shortens its release cycle, where does that put it in the Linux ecosystem? I doubt they will be able to support security updates for multiple stable releases, which is what they would have to do with a short release cycle to maintain the current length of support. As much as Slashdotters like to poke fun at Debian, it plays a very important role. Does it really need to change?
Debian developers, thanks for making such a great distribution. There are lots of Ubuntu, Mepis, and Debian proper users that appreciate it.
We have over 100 Linux servers, but we chose CentOS as our default OS. We could have chosen Debian instead. In fact, the control panel we use for our customers (DirectAdmin) runs on Debian. But here's the #1 reason I didn't choose Debian:
[hypothetical scenario]
Customer: "What operating system version do you use?"
Us: "Debian unstable."
Customer: "...unstable??"
The close-behind #2 reason is the installer, but I understand that's getting fixed. IMHO, Debian should strive to release a new stable version every 6 months, with 12 months being the maximum time between new stable releases. As it is, I cannot justify using Debian for business purposes when their offering that coincides with what we need is labeled "unstable".
Simpli - Your source for San Jose dedicated servers and colocation!
As I said here, it might act like Debian, but Debian it's not.
.deb package on Ubuntu without possibly causing binary version problems? Similarly, can I build a package on Ubuntu, give it to a Debian user, and be sure that it'll work properly on their system?
A notable problem with using "spinoff" distributions is package compatibility. Can I install any
This is a problem with rpm-based distributions; I don't know if apt handles it in a smarter way than rpm, but I've been burned by it and I'm hesitant to try and see. While on the surface everything may seem to function properly, you never know when doing something seemingly innocent like installing or upgrading a package can open up a huge can of worms. I know; I tried installing some packages from my Mandrake 8.2 CDs on a Red Hat system. The first couple worked without any problems, but I tried installing another package that happened to mess with some other file that was already on the system, and it broke several other seemingly unrelated programs.
Bears don't normally eat things that talk and move backwards.
whats the only thing that takes longer than a full Gentoo compile....
once more into the breach
Debian and Ubuntu are currently similar enough that i have yet to hear of this happening, though i'm sure it's possible. note that the ubu dev model is something like this: snapshots of debian unstable every 6 months, with fixes applied and fed back into "vanilla" debian. as such i think that we're going to continue to see them being very similar.
-Leigh
fedora: the blowfish sushi of distros, exciting, dangerous and for daredevils. It may kill your machine
redhat: the cafe food in the basement of the megacorp, great food but at airport restaurant prices.
novell/suse: the suits come in the front and pay to sit down and get served the same great food most of which is given away at the soup line in the back.
white hat: sneaks the food away from redhat and does the soup line thing. Some seasoning missing.
mandrake: tastes like redhat with somewhat better seasoning and operated kind of like the suse restaurant
gentoo: gourmet ingredients for you to build your own 9 course dinner, hopefully you don't starve in the meantime
debian: stale, week-past-expiration date bread that won't hurt you, and some rather tasteless but nurishing year-old jerky to put on it.
Why not post it to somewhere anonymous like SANS, etc?
They can contact the teams in other methods I'm sure, and if not, they can publish it and force a fix.
wdd
it's important to look at debian as a concept as a whole. when you say "debian stable", you're talking a particular snapshot of all these programs 3 or 4 years ago that have been analyzed and proven stable. if you are looking for what linux provided as a whole 3 years ago, you are probably in the right place. why is it so bad to have a clearly defined role for this "stable" distrobution? it's called "stable" because that is exactly what it is. rock solid stable. if you want fancy jazz, no one stops you from using testing or unstable. despite the scary connotations, testing has proven to be stable as well.
this sig limit is too small to put anything good h
This should help reduce the long time between releases. Every 6-12 months convert testing into frozen. Frozen should be considered a release, and supported as such, with security updates for ~18-24 months. Periodically, when few bugs exist in frozen convert frozen into stable. Maintain security updates for the last two stable releases. The idea is that for mission critical servers, stable would be used, but frozen would be sufficiently stable for workstations and less reliable servers. Just pushing out security updates for testing isn't enough because the continual upgrade process is too much for lightly administered machine. This also insures that testing is never frozen for long periods of time, which is good for desktops that want to be running the latest software. I like the concept of supporting fewer architectures, but this needs to be done properly. They should only allow bugs in the rare architectures block packages in stable. Most of these architectures are only used for servers or other rarely updated machines. Plus, since stable is not the release, these architectures won't block releases.
This is a "once more" new iteration of the same old idea of Debian updating their stable branch not often enough. And as always, I have to respectfully but totally disagree.
... well, since about the Potato release.
For one, people should really understand and see, that not all Linux distributions are just there to suit the newbie (l)users' desktop needs. This is just the attitude people gather while being full-blown Windows users and then fiddling around with some Linux, thinking it's cool and if he can't find his way around, then at least that';s another reason to bash.
Debian's stable branch is just _the_ perfect distro for servers. You can argue with this statement, but I will _not_ listen to home users' hysterical crap about the newest kde/gnome being necessary. There are places where that simply doesn't matter.
Where I spend my working hours very few people use Linux distros on their desktops, really very few, but almost all our servers are Linux based. The two of them where I hve root access are Debians. One is a current stable Woody, being web&mail&db&cvs&related server which I installed last year because the previous machine had a major blowup. The other is a Debian Potato (!) which is the previous [i.e. before Woody] stable branch, which is our dns server, up and working for
No desktop environments, no x, just good stable and reliable code which I trust and - most importantly - _very_ _easy_ to maintain.
At home I use Debian SID for about 4 years now. Updated about weekly, _very_ stable and usable. It has all the desktop fun I need. Most important: it hasn't been reinstalled since the first install just always copied over to the changed machine (about once in a year, I always hand-build my machines ever since I became acquainted with the screw driver), updated the necessary stuff and keep it always apt-get dist-pgrade-ed.
For me, and for many others out there, Debian - and now the quite many Debian-based distros, hey, there are even Debian SID-based distros now (!) - represent _the_ _GNU/Linux_ _distro_. For the others, there are plenty of others you can use and that is exactly why Lnux distro forking is a Good Thing, try not to forget that.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Check out Arch Linux. It's a bit young, but up-to-date, fast, elegant and great package management.
BenCurry.net
Personally I think they would be best served by doing a little of each.
A notable problem with using "spinoff" distributions is package compatibility. Can I install any .deb package on Ubuntu without possibly causing binary version problems?
AFAIK, packages within Debian itself aren't even compatible with each other. If you're running unstable and you want to give a package to someone running testing, you're out of luck. Why is it a surprise that Ubuntu packages wouldn't be completely compatible? From my experience with Ubuntu, it seems like most Debian unstable packages are forward compatible to Ubuntu, but I doubt the reverse is true. This makes sense. Ubuntu has more up to date packages than even unstable at some points, since Ubuntu applies it's own patches, and the Debian maintainers may not apply them immediately. If they add the Ubuntu repository at a low priority and try installing your package, it'll probably work, but some of their libraries will be updated to Ubuntu versions. That's a bad thing, because it might break future updates within unstable for them. Maintaining package compatibility and achieving Ubuntu's goals at the same time would be impossible to do.
By the way, Ubuntu isn't a "spinoff" distribution. It stays with Debian unstable, then freezes the set of packages and stabilizes them. For the next release, they start over.
FreeBSD maintains the same kind of stability WITH a more current release schedule. 5-stable (unlike 5-release) will give you a very stable system. 5-release will give you a pretty rock solid system, though unbreakability is not guaranteed. Use 6-current and you better expect breakage, though it's not guaranteed. The last -stable FreeBSD milestone? Nov. 6 2004.
Before there's a shitload of replies about 5 sucking - yes it did suck when it was strictly a new technology release. Now bugs have been patched and more things have come out from under the giant lock. Speed has increased, as has stability, and it has earned the -stable tag. The point of this post is just to say stable != extremely out of date. stability is just well-tested, well-written code.
Debian stable is too old. It doesn't work on latest x86 and PPC hardware. Testing is fine for desktop, but for people who need stable and secure system for servers it's not an option. Since there is no security support for testing and there still are some bugs.
So we really need stable releases more often. Doing it by dropping some architectures makes sense to me, if you can't buy the hardware anyway. Also developers can still work on their favourite architecture and release if they keep up to the speed those 4 most popular architectures are releasing. It just means that i386 won't be waiting if there are some bugs on m68k.
And yes, I run debian testing
My only complaint is that the testing version of Debian is updated a bit too often. I dislike having to get 10-20MB of packages every week to keep up just in case there are some security updates included (Debian security notifications are only done for the stable release).
I would prefer something in between stable and testing, updated reasonably often with new packages (and features) and also have security releases in between as required.
debian's package management system includes the ability to pin. that is, to attach various repositories/package trees of varying distributions with varying priorities. all my systems start stable and quickly recieve a good number of testing grade packages. because of dependancies, this means my system is usually ~50/50 stable/testing. i then usually add some non-system-metal stuff from unstable like KDE, gnome, & staroffice.
i also have a long list of external package repositories from apt-get.org. some of my systems also track ubuntu packages as well. i run ubuntu's Xorg package set on my laptop (better acceleration, maybe one day working Xorg Suspend-To-Ram on my ancient ATI mobility ). it works perfectly transparently, including xcompmgr & all.
the nice thing about debian is it lets you mix and match very easily while resolving all dependencies very nicely & very cleanly. also, you can set up your own repository very easily to take a sample collection of packages from kingdom-come and mirror it so it looks like a somewhat cohesive single repository. with apt-build coming along nicely, you can even cleanly and efficiently maintain your own patched versions of packages as they evolve, making it easier to recompile all your programs for Heimdal kerberos instead of MIT, for classic example.
who gives a rat about stable? just pin what you need. debian distro is really about empowering the user to whatever ends with the most direct simplicity. distros like ubuntu are there for those who just want a single clean complete desktop distro.
Myren
Debian has always made a problem for itself by using 'stable' as a version description. It's fine if you know that 'stable' means 'not likely to change much', but to most users the word implies that all other versions are 'unstable' which make them think that it's likely to crash a lot. I think a more relevant description would be 'static'.
All servers I install are Debian and initially I used stable but now I use testing and have not had a single problem.
For servers, Debian's great. For desktop, it's still great except that you use Knoppix or Ubuntu instead which take care of providing the latest and greatest package versions. Underneath they're still good old rock-solid Debian!
Watson: No shit, Sherlock.
Use ISO 8601 dates [YYYY-MM-DD]
Can I install any .deb package on Ubuntu without possibly causing binary version problems? Similarly, can I build a package on Ubuntu, give it to a Debian user, and be sure that it'll work properly on their system?
Actually...Yes. Yes you can
In fact the system I'm writing this on is Ubuntu Warty and I have the Debian Sarge repositories loaded in my sources list. I've got quite a few Debian packages loaded on my system with no breakage whatsoever. I've heard people refer to this type of setup as "Debuntian".
I wouldn't do anything stupid like apt-get upgrade (I comment out the Debian stuff for that) but for installing specific packages you're pretty safe.
"And then I visited Wikipedia
Debian is a victim of its own success.
.deb package, it goes into Unstable. The rules are, if you run packages from Unstable, and they break, you don't bitch: you fix them, or you keep your trap shut, but you don't bitch. Once a package has been in Unstable for awhile, it can go to Testing. When the project leaders are satisfied that the current state of the Testing distribution satisfies all the criteria and is fit to call Stable, then a new Stable distribution is born.
:) It's not the packages themselves that are unstable; rather, the versions are unstable, simply because the maintainers keep putting in new versions as soon as the .debs are put together. I wouldn't run it on a server; but on my laptop, which is behind a firewall, it works very well, and I'm also using it on my work desktop {an AMD64}. All that being said, I am tempted to try Kubuntu -- it's just like Ubuntu but with a KDE desktop {sorry, but despite my best efforts, I really can't get to grips with GNOME}.
It's an absolutely massive project. There are about ten thousand packages, all including metadata for full automatic dependency checking and resolution. Each of these packages is available for each of a dozen architectures, and there is consistency across all platforms. Debian is Debian; whether it's running on an Intel, a PPC, a Sparc, an ARM or whatever. The user need not know what lies beneath the skin of the machine; the procedure for doing something should be absolutely the same whatever is inside.
For a project of that sheer size to work, it's pretty much got to be ruled over with an iron fist -- if not literally, then those involved have to act as though it were so.
Woody is out-of-date for desktops; I don't think there is any question of that. KDE 2.2? Hello? And it's not exactly up to the minute for servers, either: it's still pushing Apache 1.3, for crying out loud!
The real problem stems from the fact that before a package can be accepted into the Stable release, it has to be shown to be bug-free on each of twelve architectures. So if it segfaults on a steam-powered toaster, it can't be deemed fit to run on an 80386.
But that's just the ideal for the Stable distribution. There are two other Debian distributions, Testing and Unstable. Whenever someone creates a brand-new
Testing is actually the Debian distribution you probably really want to be running if you have an 80386-type machine. Yes, security updates get ported into Stable in good time; but Testing probably has newer versions of packages anyway which are likely to have the security patch in by default. It's safe to run on servers iff you read the news and you know how to apply a patch and compile a package from source. {And if you don't, then what the hell are you doing running a server?} But Unstable is actually quite reasonable. I've found it to be no worse than Fedora or Mandrake: any problems I've had with packages not installing or not co-operating turned out to be due to mis-specified dependencies, requiring cunning use of manual override and package searches. So no worse than any RPM distro there
It's also worth remembering that every Debian-derivative -- Ubuntu, Linspire and so forth -- started out as a copy of the Unstable tree.
Je fume. Tu fumes. Nous fûmes!
FreeBSD maintains the same kind of stability WITH a more current release schedule.
FreeBSD doesn't have packages for most of things and for a few platforms. Compare that with releasing 12000 packages (14 CDs, IIRC?) for 10-12 architectures. Is not that FreeBSD sucks, they work great, but is not fair to compare two things that are not really the same. And BTW, the 4.X -> 5.3 step has not been exactly "fun".
(and don't come saying "this is the proof that ports > packages. Time has showed everybody that packages are valuable, I don't want to start recompiling libc or X.org because of a critical security bug when I have a spike load, ok?)
No i'm not talking about the spoilers and alloy wheels.
Seriously Gentoo has x86(stable) & ~x86(testing) and there equivalents for each platform, and different packages are considered stable or not on a per platform basis.
SUrely something like this for debian, with prehaps core architectures being released together (eg x86, ppc & Alpha).
Also how about Stable, Release and Testing/unstable as better names.
Testing & unstable all sound like they are broken, when infact testing usually isn't.
Although unless you could post a subject, or the mail account you mailed from it'd be hard to tell.
There are literally hundreds of messages going to the security@debian.org alias - and vendor sec also gets a lot of spam. This is one reason why sometimes I've lost things.
Of course that's likely not to be what's happened to yours, maybe it just got queued up behind all the other things that we're working on.
Does that help?
Feel free to ping me with another copy if you like.. Actually forget I said that, I've just found your mail and I've personally not responded because of the lack of details - we already publish our private keys on our webpage so asking for them again is extra work when we've got lots to do.
Vendor-sec / Debian can do lots of things your particular case you might think of a more appropriate person to pass it onto - obviously I don't wanna give details here.. Grr.