On Tue, 20 Feb 2018, Moritz Mühlenhoff wrote:
> LTS has a clearly defined scope, while this is essentially contracting
> work to extend the life time of some packages for some customers.
> I don't see a compelling reason for it to run on Debian infrastructure.
This was also my first feeling but if you include the CIP into
the picture, you can conceive this as a first step into a new direction.
Let me explain at the end.
But assuming that we keep updates hosted on some debian.org host, do you
think it's OK to continue to use the security tracker to track
vulnerabilities in wheezy?
On Tue, 20 Feb 2018, Joerg Jaspert wrote:
> If this would be "just" extending the current LTS ways for more time,
> then it would be OKish to stay on donated, voluntarily managed,
> infrastructure. After all it helps all users of wheezy with updates,
> nominally over all of wheezy.
> But the proposal is effectively just for a benefit of a few paying
> customers, with a very selected set of packages and architectures, all
> the rest lost out. Thats not ok to ask volunteers to support, nor
> is it ok to use projects infrastructure for. The companies that want it,
> should run it.
Just to clarify, the set of packages/architectures supported is
effectively selected by the sponsors, but the resulting work is
made available to all.
On Thu, 22 Feb 2018, Philip Hands wrote:
> I'm in favour of making it possible for our users to build structures
> that enable longer support periods if that's what they require. There
> would seem to be a need for an OS that would have support measured in
> decades rather than years, and we should not get in the way of Debian
> being that OS.
Indeed. And it's the reason why I mentionned CIP in my initial mail. They
are not interested in longer support for wheezy (too early for them) but
they are interested in working with us and helping us to make this
possible as part of Debian. One of the persons I am in contact with
mentioned that CIP members could (at some point) contribute security
updates within Debian.
Looking a bit further, I see a way forward where we have the security
team (first 3 years), the LTS team (next 2 years), CIP members (next 10
years) taking over the charge of security updates for a given release.
And indeed if we prepare the infrastructure for this by finding a way
to host the updates for wheezy for longer than expected, we pave the
way for CIP to take over security maintenance of our old releases.
> I would however suggest that it should not be part of the normal mirror
> area, since:
Ack on all this. That's why I suggested to keep only the part on
security.debian.org and drop the part on the main mirror.
But we can also consider setting up slts.debian.org (Super Long Term
Maintenance) and move wheezy entirely over there.
Could this be a new DAK install managed by ftp-masters that would
be continued to be signed with the official wheezy key? Otherwise
it will be harder for users to transition if they have to install
a new key. Or is there a way to let another team manage the repository and
still get official signatures of the repositories?
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/