Hello, On Tue, 20 Feb 2018, Moritz Mühlenhoff wrote: > LTS has a clearly defined scope, while this is essentially contracting > work to extend the life time of some packages for some customers. > > I don't see a compelling reason for it to run on Debian infrastructure.
This was also my first feeling but if you include the CIP into the picture, you can conceive this as a first step into a new direction. Let me explain at the end. But assuming that we keep updates hosted on some debian.org host, do you think it's OK to continue to use the security tracker to track vulnerabilities in wheezy? On Tue, 20 Feb 2018, Joerg Jaspert wrote: > If this would be "just" extending the current LTS ways for more time, > then it would be OKish to stay on donated, voluntarily managed, > infrastructure. After all it helps all users of wheezy with updates, > nominally over all of wheezy. > > But the proposal is effectively just for a benefit of a few paying > customers, with a very selected set of packages and architectures, all > the rest lost out. Thats not ok to ask volunteers to support, nor > is it ok to use projects infrastructure for. The companies that want it, > should run it. Just to clarify, the set of packages/architectures supported is effectively selected by the sponsors, but the resulting work is made available to all. On Thu, 22 Feb 2018, Philip Hands wrote: > I'm in favour of making it possible for our users to build structures > that enable longer support periods if that's what they require. There > would seem to be a need for an OS that would have support measured in > decades rather than years, and we should not get in the way of Debian > being that OS. Indeed. And it's the reason why I mentionned CIP in my initial mail. They are not interested in longer support for wheezy (too early for them) but they are interested in working with us and helping us to make this possible as part of Debian. One of the persons I am in contact with mentioned that CIP members could (at some point) contribute security updates within Debian. Looking a bit further, I see a way forward where we have the security team (first 3 years), the LTS team (next 2 years), CIP members (next 10 years) taking over the charge of security updates for a given release. And indeed if we prepare the infrastructure for this by finding a way to host the updates for wheezy for longer than expected, we pave the way for CIP to take over security maintenance of our old releases. > I would however suggest that it should not be part of the normal mirror > area, since: Ack on all this. That's why I suggested to keep only the part on security.debian.org and drop the part on the main mirror. But we can also consider setting up slts.debian.org (Super Long Term Maintenance) and move wheezy entirely over there. Could this be a new DAK install managed by ftp-masters that would be continued to be signed with the official wheezy key? Otherwise it will be harder for users to transition if they have to install a new key. Or is there a way to let another team manage the repository and still get official signatures of the repositories? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/