[SGVLUG] FC repository searches

Dustin Laurence dustin at laurences.net
Tue Sep 12 17:35:39 PDT 2006 

On Tue, Sep 12, 2006 at 05:04:49PM -0700, Jeff Carlson wrote:
> 
> If dist-upgrade is only for upgrading between releases, then why is
> there always something available to be dist-upgraded?  If the release
> schedule is every 18 months, then it should only have something
> available every 18 months.  That makes sense to me.

The following is the best I can make out, though I know very well there
are people on this list better qualified to explain Debian than me.

No, but yes.  No, in that infrequently they will release a revision in
between official Stable releases (I think there have been two for
Sarge), and those can (I observe) require a dist-upgrade.  I think the
last time I had to do a dist-upgrade for Debian Stable it was for a
kernel bump that wasn't just a Debian patchlevel.  Other than that, the
only things that come down the pipe are security updates.  That's what
"Stable" means to Debian.  So, yes dist-upgrade should be infrequent for
Debian *Stable*, though not actually 18 months.

BTW, Slackware's security updates are the rarest I've seen, and when I
first ran it I thought I wasn't getting updates because there were so
few--I'm not sure how much of this is due to very conservative inclusion
strategies and how much is due to having such a small distro in the
first place.

[Digression] There are (at least) two security patch strategies a distro
can have, and which is chosen usually tells you a lot about the
intentions of the packagers and what the maintenance experience is going
to be like.  The Conservative strategy is that followed by, for example,
Debian Stable (I suspect RHEL as well, and many other server-oriented
distros).  Generally security upgrades are done by patching the exact
package version that was released to guarantee the minimum disruption
(for example, not bumping the upstream version generally means you don't
need to touch /etc), backporting from a later upstream release if
necessary, so that the upstream version number doesn't change, only the
Debian patchlevel.  Sometimes this is impossible, of course, in which
case it might be justified to bump the upstream version to close the
security hole.  If this is disruptive enough, then it might take a
dist-upgrade (which warns the sysadmin that this isn't something to do
without thought at 4:50 on a Friday afternoon), and if possible Debian
would rather roll several such upgrades together into a revision for
convenience.

This strategy works well for stability--I generally will do an 'upgrade'
to my little server without worrying about breakage.  The only times I
can remember this failing were when I didn't know enough to restart
something that needed restarting (and usually apt-get does that for you
too).  If I see packages held back, then I won't do them unless I'm
ready to spend a bit of time (tweaking a config file in /etc, for
example).

The Aggressive strategy, followed by e.g. Gentoo (likely also Fedora,
and I'm quite sure Sid does this effectively by simply having the
current pool) is to prefer to bump the upstream version, if this will
fix the security hole at hand.  This makes for a more up to date system,
of course, but it also means more work for the sysadmin (because quite
often /etc *does* need tweaked) and less stability (because obviously
you're running a set of packages that have been less extensively tested
together.

I actually have a point--the distinction between 'upgrade' and
'dist-upgrade' is partly to help you know when Debian was unable to
follow their preferred strategy of never changing an upstream version in
Stable, and so you can schedule the upgrade at your convenience.  If one
item needs a dist-upgrade I'm likely to assume it was a security patch
that might require reconfiguration or something, but if there are a
bunch of packages waiting all of a sudden, particularly if they are
really critical packages, I might go and check to see if there is some
sort of issue.  I am sort of lazy because my only Debian box right now
is Sarge, and Sarge is the one that attempts to be bulletproof.  Running
Sid would probably require me to monitor the news channels a bit better.

Gentoo has similar issues--I tend not to upgrade X and absolutely never
the toolchain without checking for issues--since Gentoo is self-hosting
breaking the toolchain is far more of a disaster than it is on a binary
distro.  (And thus Gentoo is fairly conservative about gcc and friends
even though it wants to be bleeding edge most other places).

I've never run a distro where I didn't have to learn some stuff like
that--I expect the same to be true for Fedora when I get a Fedora
partition up and running.

> The cool thing about 5.x was that it was the last libc5 version.  That
> means it can run WordPerfect for Linux, if you have that.

No, too bad.

Dustin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.sgvlug.net/pipermail/sgvlug/attachments/20060912/b65908d1/attachment.bin

More information about the SGVLUG mailing list