On Fri, Jun 22, 2007 at 08:24:22PM +0200, ignatius wrote: > I have two questions that really concerned me. > > - Why it's Debian that fixes bugs and security holes?
There are lots of differences between: upstream and Debian release goals upstream and Debian build environment (debian has 10+ archs vs upstream's 1 -- in most cases) upstream and Debian package goals bugs introduced when upstreams package is introduced into Debian's distro of 16,000+ packages. Also, Debian's bug fixes introduces their own bugs (regular and security) These are true for any distro, not just Debian. > Why it isn't > upstream developers? How can you be sure that all security holes will be > found or revealed? No one can. So we rely on programer skill, user testing, QA testing and other things to finding and fixing bugs. This is true for all distros and upstreams. Thus there is no perfect software. Of course, some folks hide bugs and close the source, this makes things seem better sometimes. > (for instance an old software in stable can have a > security issue which is not in the recent version, so upstream can't > find it) Why upstream developers of important softwares do not sometimes > provide stable versions of their programs (eg linux kernel, libc, xorg), > instead of let Debian do the job for them? Debian has security support for a limited time for all its stable distro. Also, there is the backporting of security fixes. And there are (still unofficial) backports.org that has newer software made for stable release. > I mean, with Windows® (sorry), things are sometimes more logical: the > kernel, "xserver, xclient", etc. (important apps) are stable for years, > but you can have the last firefox without update them (like a mix > stable/unstable, except that stable softwares are maintained by uptream, > not by a distribution). This is currenly done (more or less) by backports.org (or other similar efforts). > > - Why Debian isn't KISS (Keep It Simple, Stupid!) compliant? Debian strives for this and may folks seem to think it does it well. > I mean, I never need to change my conf files. If I have a problem, I > solve with apt-get or dpkg-reconfigure. I don't understand how things > works and I'm too dependent on Debian. Futhermore, .deb are really > complicated compare with other package tools. the deb format is derived from the 'ar' packaging tool that is on every UN*X system. That is not very complicated. Further more, all Debian related files are conviently in one directory (/debian), so as to easily differentiate it from the upstream source. > I like for instance > Frugalware philosophy: "We try to ship fresh and stable software, as > close to the original source as possible, because in our opinion most > software is the best as is, and doesn't need patching." That sounds more like Gentoo and its ebuilds. Debian distributes binary packages. > > Well, I don't like what is Linux today. Software developers don't care > about stability, are not responsible, whereas each Linux distributions > re-do the same jobs without cooperate. Linus should do something. It's > too easy to create a kernel and then let it go alone. Its true that some areas could use better co-operation and many distros don't communicated with upstream enough (where possible) to get their changes upstream (where possible). But we do try. > > Sorry for my English that is very bad compare to the real Ignatius > Reilly's English. Most folks write english well enough to communicate their ideas and most readers try to compensate for any lacking when they read their ideas. So I think most folks understood what you wrote. -- | .''`. == Debian GNU/Linux == | my web site: | | : :' : The Universal |mysite.verizon.net/kevin.mark/| | `. `' Operating System | go to counter.li.org and | | `- http://www.debian.org/ | be counted! #238656 | | my keyserver: subkeys.pgp.net | my NPO: cfsg.org | |join the new debian-community.org to help Debian! | |_______ Unless I ask to be CCd, assume I am subscribed _______|
