lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 13 Nov 2007 00:13:41 +0800
From:	"Rogelio M. Serrano Jr." <rogelio@...global.net>
To:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [poll] Is the megafreeze development model broken?

Adrian Bunk wrote:
> On Mon, Nov 12, 2007 at 01:51:25PM +0000, Tuomo Valkonen wrote:
>   
>> On 2007-11-12, Eric W. Biederman <ebiederm@...ssion.com> wrote:
>>     
>>> I think a megafreeze development model is sane.  Finding a collection
>>> of software versions that are all known to work together is very
>>> interesting, and useful.  Making it so you can deliver something that
>>> just works to end users is always interesting.
>>>       
>> The distros only do that for the most important and most popular
>> packages, most of which have become rather "generic" and faceless
>> behemots in the sense that they do not have definite authors and so
>> on, and for which it takes years to respond to bug reports in any case
>> (if someone even bothers to enter the bug in registration-required
>> Suckzilla, Debian's reportbug becoming much more usable in this case,
>> even though it typically takes another year for the package maintainer
>> to report things back upstream, if it ever even happens).
>>
>> Other more marginal software with a face, the distros just throw in
>> and expect the author to deal with users having problems with ancient
>> development snapshots and even bugs in stable versions that the distros
>> simply refuse to fix. They should not distribute that kind of software
>> at all. That is, distros should stick to providing stable base systems, 
>> and fully supported (and renamed if not generic) customised versions of
>> other software for their target audience. For the rest, there should
>> be better mechanisms for authors to distribute binary or otherwise
>> easily and reliably installable packages of their software. 
>>     
>
> The problem is not what the distributions ship, the problem is simply 
> that problems with distribution packaged software should be reported 
> to the distribution, not upstream.
>
> And for becoming at least marginally on-topic again:
> Assuming your "stable base systems" contains the Linux kernel, how would
> you prevent users from reporting bugs in their ancient kernels [1] here?
>
>   
Isn't the kernel easier to sync with latest and greatest?

The core libc and supporting libraries is the core. and the toolchain
the core dev. Those can be updated twice or even once a year. The kernel
can be updated once a month if you like.

I stopped using debian myself and used DIY linux based toolchain and
libc. Thats the stable core that i have been using for 4 months. If
debian can reduce the footprint of the "stable core" and do monthly
releases of package bundles i will use it again.


-- 
Democracy is about two wolves and a sheep deciding what to eat for dinner.


View attachment "rogelio.vcf" of type "text/x-vcard" (333 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (253 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ