On Mon, Feb 19, 2018 at 08:40:12PM +0100, Michael Meskes wrote:
> > An example what "no security support" means in practice:
> I don't think anyone suggest "no security", but something like
> "security by upstream releases".
How can you guarantee that to our users for buster until mid-2022?
This only works when upstream provides an LTS branch covering the
lifetime of the Debian release.
Debian already does "security by upstream releases" for Firefox,
and this clearly shows why this is problematic:
- Firefox is very picky about the versions of two compilers
(gcc and rust) being used. That's why wheezy contains a
more recent gcc for Firefox, and that's why soon there will
have to be a bootstrap of a more recent rust in stretch.
- Firefox upstream decided to break all extensions, including the
ones packaged in stable, in the next ESR.
Except for extensions Firefox is a leaf package, imagining
"security by upstream releases" for some core part of the
system like OpenSSL sounds hilarious.
Node.js is the core of an ecosystem with > 1k packages in Debian.
gitlab is not the core of an ecosystem, but it uses both uses Node.js
and Rails. How can you guarantee to provide "security by upstream
releases" for gitlab until mid-2022 if a new gitlab might require
more recent versions of many dependencies?
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed