Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Distributions' Tracking of Upstream Projects Examined

Posted by timothy on from the perhaps-software-should-come-with-renewal-dates- dept.

An anonymous reader writes "Linux distributions track upstream projects, releasing a particular version with each official release. But how far behind the latest versions do these releases linger? Scott Shawcroft did an interesting new study into this relationship between distributions and upstream projects. Shawcroft says: 'Over the last 10 months I've been working on Linux evolution research. Similar to distrowatch, I track the current versions of packages in a number of distributions and the current upstream version. Based on that data I then graph a number of metrics to understand the relationship between upstream and downstream.' His presentation on the topic scheduled for [this] week's open source convention, OSCON, should provide an interesting insight into that relationship. Currently he is tracking 20 projects including the Linux kernel, Firefox, GCC, OpenSSH and GNOME on Arch, Debian, Fedora, Gentoo, openSUSE, Sabayon, Slackware, and Ubuntu."

36 of 132 comments (clear)

  1. What's Firefox? by 0100010001010011 · · Score: 5, Funny

    I run Debian you insensitive clod!

    1. Re:What's Firefox? by mcgrew · · Score: 3, Funny

      If I ever find a woman named Debbie Ann, I'll marry her.

      --
      Free Martian Whores!
    2. Re:What's Firefox? by Anonymous Coward · · Score: 2, Insightful

      Close, but no cigar. Marriage and sex are two different things.

    3. Re:What's Firefox? by XPeter · · Score: 3, Funny

      You kidding? Slashdotters have a better chance at marriage then sex. Women hardly want it as it is, and nerds are a total turn off.

      Slashdotter: Hey, so after the movie you want to go to my place?
      Babe: Sure
      Slashdotter: Here it is! *walks in*
      Mom: Hey honey, how was the date?

      --
      "The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
    4. Re:What's Firefox? by just_another_sean · · Score: 4, Funny

      Actually Ubuntu is an African word that means "one who is unable to install Debian".

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    5. Re:What's Firefox? by dondelelcaro · · Score: 2, Informative

      I'm still kind of disappointed that they haven't upgrade IW to 3.5 though.

      It's available in experimental. See packages.debian.org/iceweasel and bug #535192.

      --
      http://www.donarmstrong.com
  2. Tracking Debian Stable instead of Testing by Anonymous Coward · · Score: 3, Informative

    In Debian, all software in the repositories is frozen when a release is cut (e.g. Lenny). Only security updates are applied. If the author is going for accuracy, he should track Debian Testing, which gets updated frequently with new releases of various packages. The name "testing" is somewhat misleading. Packages in testing are considered stable enough for everyday use. The stable branch is intended to minimize updates, which is what you'd want for servers.

  3. Potayto potahto by $RANDOMLUSER · · Score: 4, Insightful

    Labeling the column "%Obsolete" is one way to look at it, sure. Or we could go with 1/X and call it "%NotBleedingEdge". Seriously, the distro maintainers are also looking at their own build packages, compatibility with other packages, internal documentation, etc. Just because the KOffice team (for example) decides to lose monolithic builds and go with package builds, doesn't mean that it doesn't make a hell of a lot of work for the downstream maintainers, and that only starts after the upstream guys release.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    1. Re:Potayto potahto by Burz · · Score: 4, Insightful

      And all of that work should be done by the application authors, not people who work on the OS who don't know what they are doing. I repeat: Ability to work on an operating system doesn't mean you know squat about sanely-coded and presented applications.

      This dynamic is why Firefox on FOSS systems is slow and feature-poor: A party that can't possibly take responsibility for all the apps being offered is inserting themselves between the application users and the authors, degrading what is otherwise a top-notch effort (Firefox).

      Think about that the next time radio buttons disappear after selecting (only on Linux Firefox for years), self-update keeps prompting when it couldn't even work, users are urged to "get the latest!" while they are forced to wait weeks (or forever) after their Mac and PC colleagues have upgraded, and when you click on a link and get prompted to "select application" to open with... and the dialog doesn't show applications but the Unix filesystem instead.

      Self-updating applications is an application feature, not an OS feature. People need approachable ways to install new and updated apps on OSes that are older than a few months! No one should be forced to the bleeding edge of OS releases every 6 months just to upgrade their apps.

      It all speaks of an OS that isn't feature-stable enough to give app developers a chance to properly target and integrate with the system. This problem of poor testing and integration arising from poor targetability is repeated over the whole spectrum of available applications.

      Stop releasing every 6 months and get the distro managers out of the applications.

      PS- I would also like to state what a POS the Slashdot editor has become.

    2. Re:Potayto potahto by Kjella · · Score: 4, Insightful

      Distro/package maintainers tend to be the only thing keeping Linux sane with the endless dependencies on libraries that again rely on other libraries with turtles all the way down. It's might work poorly for the five applications that are basically big enough to roll their own framework but for all the Gnome/KDE apps that would be just terrible.

      I don't know why firefox is bugging me but my guess it's because the developers are lazy... there's a little perl app called apt-show-versions:

      kjella@kjella-desktop:~$ apt-show-versions firefox
      firefox/jaunty-security uptodate 3.0.11+build2+nobinonly-0ubuntu0.9.04.1

      See that? It is up to date, and stop bloody bugging me about it. I'm sure the same could be done with an #ifdef LINUX and a few lines in C if anyone would bother, it doesn't even take a sudo. Do you know that when I go in Opera, right-click a file in the transfer window I do get a list of my Linux applications to open it with? They got sub-percent market share and do it right, but Firefox can't be arsed to do it. Why should I think it's the maintainer's fault when the developers can't be arsed to do the things they can do? Face it, Linux is maybe 5% of the total Firefox userbase now and we're getting the same shit we are with closed source apps.

      --
      Live today, because you never know what tomorrow brings
    3. Re:Potayto potahto by Pastis · · Score: 2, Interesting

      It's not because you're used to another paradigm that the Linux distribution one isn't appreciated by other people

      Releasing every 6 months allows me to get new _system features_, not new apps. Most of the time I already got the apps I need thanks to appropriate sources. It's easy to add sources for the few things you might want to keep bleeding edge, e.g. browser, chat, office? The rest I am happy to have it stable.

      But most of the time, I don't have a need to upgrade an application. And every 6 months I am usually happy to upgrade my system.

      I find it much easier to _manage_ a system when you have sources. I can even do that remotely without fear. I like it when someone has verified the compatibility of having multiple apps on my system.

      On other system, it's OK to have a small application self update itself as long as it doesn't mess with shared libraries. Think installing newer MS Office screws up your IE, or the other way around. Sometimes with no way to downgrade. I don't want that on my machine.

      --
      Sneak teach kids Algebra using a game
  4. fair comparison ? by cheap.computer · · Score: 3, Informative

    I am not sure if it is fair to compare Ubuntu Jaunty with Fedora, IIRC RHEL is a stable release so is Ubuntu Jaunty, and fedora is more like a dev release that tracks upstream closely. Similarly, Ubuntu Karmic is the dev version that tracks upstream closely before a stable cut of it is released. So probably comparing fedora to Ubuntu Karmic is a fair comparison.

    1. Re:fair comparison ? by pembo13 · · Score: 2, Funny

      Fedora is not a dev release.

      --
      "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
    2. Re:fair comparison ? by Kjella · · Score: 2, Insightful

      Who wants fair? There was plenty missing here, for example RHEL, SLES, Ubuntu LTS and Debian are probably in the same class but only Debian was in the survey. This was more like a sample with a spread, showing the spread between bleeding edge distros and stable distros. That said, my impression is that they picked a very round-about way of figuring out the age. Ubuntu has a release every six months, so the average age is close to 6mo/2 = ~13 weeks. Debian has 18 months, so 18mo/2 = ~39 weeks. Unless you're doing significant amounts of backporting that won't change and the number of releases behind will be a fairly linear equation with time. There's some better metrics to pull out here like "How bleeding edge are they when released" but I don't see him doing any of that.

      --
      Live today, because you never know what tomorrow brings
    3. Re:fair comparison ? by TanNewt · · Score: 2, Informative

      Scott here, yeah there is a lot more analysis to do besides what is on the front page. See my thesis for more details on the underlying data and email me analysis ideas.

    4. Re:fair comparison ? by TanNewt · · Score: 2, Informative

      Scott here. There are definitely better metrics we can derive from the underlying data. See my thesis for more details and email me your ideas.

  5. He fails to see.... by Darkness404 · · Score: 5, Insightful

    He fails to see that even the upgrading of a simple component like a library can cause all sorts of dependency issues. Not to mention that most distros follow a pattern of release, security updates, release where during the release is the only main changes in packages. This makes it a whole lot easier for maintainers to make sure nothing breaks.

    Its no surprise that Arch makes it to the top being a rolling distro, that is, one that doesn't have "releases" like Ubuntu, Debian, etc. but rather upgrades the packages as it goes along. Similarly, Fedora and Ubuntu tend to release pretty often, Ubuntu releases every 6 months and Fedora releases pretty fast. Gentoo/Funtoo are very similar to Arch. Sabyon, Slackware, Debian and SuSE don't release new versions very often. I also find it odd that they are testing Debian stable rather than testing or unstable.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:He fails to see.... by just_another_sean · · Score: 2, Informative

      Yeah my take on it is 95% of Debian has been around for a while and
      has been field tested so it's probably a good fit for that mission
      critical server your about to build.

      I don't need the latest and greatest most of the time, just something
      that I know, with confidence, will work well for a particular purpose.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    2. Re:He fails to see.... by vlm · · Score: 2, Interesting

      The mystifying part of his calculation is that Debian Lenny was frozen exactly 51 weeks ago on Jul 27th 2008.

      http://lists.debian.org/debian-devel-announce/2008/07/msg00007.html

      Yet, somehow, the "average lag" for Debian Lenny is a mere 40 weeks, when it should approach 51 weeks as of today... I do not believe there have been THAT many security related patches, have there?

      Also obsolete is the wrong word. By the definition, "No longer in use" it obviously fails by the definition of being included in the distros. By the definition "Outmoded in design, style, or construction" it obviously fails because a trivial bug fix or trivial feature add does not change the entire design, style or construction of the whole thing. Linux 0.99pl7 now that is obsolete.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    3. Re:He fails to see.... by xlotlu · · Score: 3, Insightful

      Its no surprise that Arch makes it to the top being a rolling distro, that is, one that doesn't have "releases" like Ubuntu, Debian, etc.

      I run Debian testing. It's very much a rolling release, and you're somewhat protected against obvious bugs by the nice policy. Of course, you can get more rolling than that and go full unstable. And throw in some experimental if you're feeling brave.

      The nice thing is you can mix-and-match. Most of my packages are testing, some are unstable, and right now i have a touch of experimental. With some APT pinning, you get a rolling release where you can decide per-package how bleeding edge you want to be.

      This is my laptop/desktop. For servers I mostly stick to stable, and if i really need a newer package I can pin it from testing, or look for it on backports.org.

    4. Re:He fails to see.... by TanNewt · · Score: 2, Informative

      Scott here. This is not necessarily true. The lag is the time since the oldest new release. So for it to approach 51 weeks each project would have had to release a newer version upstream immediately after the lenny freeze. Email me and we can look further into this.

  6. Older versions of distributions? by basicio · · Score: 2, Interesting

    I'd be more interested in seeing the statistics for older versions of distributions to see which age best, because I've been running into this problem with Ubuntu Hardy (8.04 LTS) for months now. I don't have the time or the inclination to upgrade my OS every 6 months, but even the LTS release of Ubuntu doesn't get major version upgrades for some packages I end up using a lot. PulseAudio hasn't been updated from the March 2008 version (0.9.10), which likes to crash randomly several times a week. Pidgin. Gimp. Amarok. All have very stable, very mature releases that are at least one major version beyond what's available. Now that I finally have some time I'm in the process of moving my Ubuntu box over to Arch primarily because it does rolling releases. It's going to be more of a pain to set up and keep running, but it's going to be a lot better than having to manually upgrade operating systems every six months to be able to run software that's been around for more than a year.

    1. Re:Older versions of distributions? by QuoteMstr · · Score: 3, Informative

      I don't know about those distributions, but I backport packages from Fedora to RHEL frequently. It's simple, really: just grab the fedora srpm and run rpmbuild on it. Most of the time, it'll work fine. Occasionally, you might need to adjust the spec file to accommodate some slight differences, but it's not a big deal. You end up with a package that integrates nicely with the package manager, satisfies dependencies in the normal way, and so on.

      Also, I'm not sure why the parent is moderated flamebait. It's a legitimate to want to run a stable distribution, but use later versions of particular packages.

    2. Re:Older versions of distributions? by TanNewt · · Score: 2, Informative

      Scott here. Yeah, there is data for older distributions, its just not on the front page. Look in the OSCON slides or my thesis.

  7. Obsolete vs Stable by Anonymous Coward · · Score: 3, Insightful

    While the charts are quite nice to look at, they really aren't that meaningful.
    .

    Ex 1: Debian stable has 95% obsolete packages according to his metrics. For
    a rolling release distro that wants to be bleeding edge like eg arch this might
    be a bad indication. For a distribution that focuses on stability (like debian
    does) this is an (important) design descission. They promise to be rock
    solid and they guarantee that no feature changes occur during the support
    cycle, and thats exactly what they deliver.
    .
    Ex 2: Suse is shown to have some 95% outdated packages. What he doesn't
    seem to consider is the fact that they do a lot of backporting, especially
    in the kde area (kdebase is one of the packages he uses for his analysis).
    A Suse version of kde that might seem outdated based on the package
    number will probably contain a great number of backported improvements.
    .
    Another point that I think would be pretty interesting would be security
    updates. Not using the latest major release doesn't mean that you don't
    have a great security response time (or the other way around). Maybe
    he'd be able to track this as well, would be pretty interesting for those
    of us who have to rely on stable, tested and secure systems.
    .
    Anyway, nice thing he started there. If he manages to get some more
    metrics this might become a very powerful tool.

    1. Re:Obsolete vs Stable by TanNewt · · Score: 2, Informative

      Scott here. You are totally right. These are all holes I'm aware of in the analysis. However, the problem gets much more difficult if you start considering patches and general stability. I don't deal with that because the problem already needs much more work. However, in the future, I'd be willing to explore other metrics. Email me to help out.

  8. Distributing is not easy, anyway! by VincenzoRomano · · Score: 3, Insightful

    Balancing conservative and progressive approaches in ditributions is not as easy task at all.
    You can jump up a version or two of a package/project (firefox, gcc, kdebase?) and you end up collecting complaints.
    You can miss a version upgrade(linux, postgresql, xorg?) and you and up collecting even more complaints.
    Whoever talks about "major version bumps" and ".0 versions" is missing the real point: the need to care about features, reliability and effectiveness.
    Version numbers and names are just that: numbers and names. A v0.13 of a package can provide better overall results than a v4.2 of a competitor. And the step from 1.2 to 1.3 can provide much more advances than a 8.10 to 9.04!
    Distribution managers should thoroughly test in first person the forthcoming releases (alphas, betas, RCs ...). The people who use Linux for fun a hour or two a day have different feelings and needs than those who chose Linux for work 6 to 10 hours a day!

    --
    Maybe Computers will never be as intelligent as Humans.
    For sure they won't ever become so stupid. [VR-1988]
  9. Re:Linux package management is a mess by godrik · · Score: 2, Informative

    The point in ubuntu is being always a couple of months late. You probably want to use a more up to date distribution such as debian unstable (note: unstable does not mean will crash after a reboot, just that they may contain bug).

    it is also possible to keep a mixed system, that is to say, use mainly debian stable but borrow some packages from unstable. It uses teh preferences options of APT and you can find information on the debian website http://www.debian.org/doc/manuals/apt-howto/ch-apt-get.en.html

    BTW, there exist an even more closer to upstream distribution of debian which is called experimental. I would not recommend a non debian developer to use that but it can be useful sometimes.

  10. gentoo by Anonymous Coward · · Score: 4, Informative

    I think labeling gentoo at 75% obsolete is rather crazy. gentoo gives you the choice between the stable, and the latest and greatest, and they can be mixed too. I got the newest kernel just days after it was released, no problem at all.

    1. Re:gentoo by TanNewt · · Score: 2, Informative

      Scott here. You are right but I consider unstable keyworded packages as the "future" version of Gentoo. See the website again for the metrics on it.

  11. Re:Linux package management is a mess by StopKoolaidPoliticsT · · Score: 3, Interesting

    Then use a different distro that has the flexibility you want. I use Gentoo myself and while most of my system is stable, I have about 70 packages set to use the latest versions of (gcc, the kernel, nvidia drivers, pidgin, etc). It's easy with Gentoo since all of that is compiled against the libraries which exist on your system. On binary distros, there can be incompatibilities between library versions (especially as you start adding more and more unstable packages to the mix), so it's hard to keep just a few packages up to date.

    In fact, it was that very problem which originally caused me to drop RedHat Linux back in the late 90s and go to compiling everything from scratch (I then migrated to Gentoo to automate things). And despite the memes, it doesn't take nearly as long to compile everything on modern hardware as some would have you believe. A full rebuild of my system takes about 24 hours (AMD64 X2 4400+, 1002 packages installed), but I do that maybe once a year. It usually amounts to 10-20 minutes a day.

    --
    Stop Koolaid Politics
  12. Re:Linux package management is a mess by Locklin · · Score: 2, Informative

    There are PPA repositories for those masochistic enough to want to work with nightly builds. For instance the following repo has nightly builds of Firefox.

    deb http://ppa.launchpad.net/ubuntu-mozilla-daily/ppa/ubuntu jaunty main
    deb-src http://ppa.launchpad.net/ubuntu-mozilla-daily/ppa/ubuntu jaunty main

    It's also possible to add Debian unstable or testing to your repositories, but set the preferred distribution to Jaunty (Package>Preferences>Distribution in synaptic). Then you can selectively install certain packages from unstable.

    --
    "Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
  13. Re:Similar with Ubuntu LTS by jedidiah · · Score: 2, Insightful

    Are you kidding? Are you confusing Debian and Ubuntu?

    Installing the newer Firefox (3.5) from repositories was not a problem.

    Installing the newer Firefox was also not a problem from the tarball (just untar and run).

    Stuff like "backports" are a part of the standard set of repositories.

    Using discrete packages is also pretty easy (skype) as are discrete installers (penumbra,vmware,oracle,word perfect).

    The WHOLE POINT of debian (and children) is the fact that dependencies are automatically dealt with.

    apt-get even makes resolving dependencies at compile time fairly trivial. Nevermind binary packages.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  14. Re:Linux package management is a mess by RiotingPacifist · · Score: 2, Informative

    It's brain dead easy on Windows to try beta software, and uninstall it if it breaks something. What am I missing on Linux?

    /opt
    seriously in a worst-case scenario linux package management becomes the same as windows package managment (you install and maintain all versions yourself).

    that I want to always have the latest released version

    You are on the wrong disto then,
    If you want the latest version of everything, you definetly want a rolling release distro (sid/arch) of those if you want cutting edge i suggest arch.
    If you just want the latest stable version of a few apps, then: /opt and maintaining them yourself (as you would under windows)
    AUR, PPA, (other people compile them and host them, then apt updates them, most distros have these but they are particularly prevevalent on ARCH)
    grokk apt/yum and figure out how to safely use package from a cutting edge release (e.g sid/F12) alongside your stable release.

    Ideally all projects would host their own cutting-edge/stable repo, however while most of the time the same binary will run across most distros:
    1) packaging it up and providing the correct metadata for each release is a PITA, although opensuse have a tool that will do this for you, but nobody seams to bother :(
    2) testing against all distos is a major PITA, its much easier to let somebody familiar with the distro do it (hence PPAs/AUR are quite good)
    3) bug spam, not to be too harsh, but if a newbie can't figure out how to install the vanilla version of your releases, they are probably not going to understand enough about their system to understand when something is/isn't your fault and you end up with bugs opened against the wrong projects.

    --
    IranAir Flight 655 never forget!
  15. Re:What about distros further downstream? by TanNewt · · Score: 2, Informative

    This research is ongoing. Email me (on the website) and we can add code to collect data from more distros.

  16. Re:What about distros further downstream? by onefriedrice · · Score: 2, Informative

    Some distros (notably Slackware, Mandriva, and Sabayon themselves) went from being based on other distros and started at some point doing the package integrations themselves.

    I could be wrong, but I believe Sabayon still uses portage and the Gentoo portage repository directly. They potentially have their own packages in their overlay, but AFAIK you can't really say they do the package integrations themselves. They still very much rely on upstream Gentoo.

    --
    This author takes full ownership and responsibility for the unpopular opinions outlined above.