]] Noah Meyerhans > To be clear, the ongoing cost to the cloud team of dealing with jessie > on AWS (where this issue originally came up) has been exactly zero, > afaict. That is, we haven't actually updated anything in >18 months. > Users who launch a jessie image there get 8.7, with 106 pending updates. > As long as LTS exists and users are happy with it, there's nothing > strictly wrong with this situation. They should update their instances > and reboot, but from there, they are free to continue using them in > relative safety.
I disagree with the statement that there's nothing wrong with this. We should not be in the business of distributing known-vulnerable software. There are practical considerations around point releases and such which makes this not-really-true for a period of time after there's a security update out, but this gets converged at each point release. If you look cdimage.d.o, we are only distributing the latest point release. I think the same standard should apply to cloud images. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
