Debian stability


Recommended Posts

I used Ubuntu for six years and loved it, including the switch to Unity.

 

In fact, I still use Ubuntu Studio (12.04LTS) for my music (and XFCE is nice too ;) ).

 

However, I recently switched my laptop to Debian 7.1. I have found it to be very stable, especially Rhythmbox.

 

I have a question, though, about the stability issue. I've got my system to keep Iceweasel at the cutting edge (security reasons), but all else I leave in the stable state. Libreoffice, for example, stays at 3. 

 

To what extent is it correct, though, for me to link 'stable' with 'old'? In other words, is there something more to the stability of my version of Libreoffice than simply its age?

 

Any thoughts appreciated!! :D

Link to comment
Share on other sites

With Debian, it mostly is that the software version has received a certain amount of exposure (which often takes a lot of time with Debian's standards). That's why the packages are often quite old, however it isn't as bad now as it used to be (with woody etc for example).

Link to comment
Share on other sites

With Debian, it mostly is that the software version has received a certain amount of exposure (which often takes a lot of time with Debian's standards). That's why the packages are often quite old, however it isn't as bad now as it used to be (with woody etc for example).

Thanks, I guess I was wondering, given that there are over 20,000 packages that Debian maintain, what is the meaning of what you call 'exposure'? I understand that bugs appear over time. I can tell you for a fact I like Debian rhythmbox more than any rhythmbox I encountered when using (and keeping up to date with) Ubuntu. It used to buckle and close a lot. It doesn't on Debian 7.1.

 

Would, for instance, libreoffice be frozen by Debian at a particular point, with only the addition of bug-fixes? I can't imagine that that approach would be practical, but it's what I'm led to believe. What's going on? :)

Link to comment
Share on other sites

Thanks, I guess I was wondering, given that there are over 20,000 packages that Debian maintain, what is the meaning of what you call 'exposure'? I understand that bugs appear over time. I can tell you for a fact I like Debian rhythmbox more than any rhythmbox I encountered when using (and keeping up to date with) Ubuntu. It used to buckle and close a lot. It doesn't on Debian 7.1.

 

Would, for instance, libreoffice be frozen by Debian at a particular point, with only the addition of bug-fixes? I can't imagine that that approach would be practical, but it's what I'm led to believe. What's going on? :)

 

Debian freezes the version of every package in the testing repository shortly before release. The idea is that to create a stable release there should be no changes that add, remove, or otherwise break existing functionality. Once frozen (said to be "in release freeze"), the software in the testing repository is extensively checked for consistency (all dependencies, recommends, and suggests must be installable), stability (measured by bug reports during the freeze), and upgradeability (all software in the previous Debian release must have a clean upgrade path available and all changes that break assumptions from the previous release must be thoroughly documented). Since software is constantly evolving, the most practical way to accomplish this is to stop updating the software with the latest upstream releases at a certain point in time. That is why the software in Debian stable releases is often said to be "old".

 

However, the age of the software does not imply that it is not secure. The Debian Security Team takes security very seriously. They track the vulnerabilities found in software in the archive and backport the necessary patches (or write new patches if they must) to make sure that every piece of software in the archive is secure. Although all of the patches the Security Team produces will make it into the stable archive eventually, there is a two week delay for most packages while updates are vetted and tested. Obviously this is not ideal for security fixes, which is why the Security Team maintains their own archive (security.debian.org) which is added to the sources.list of all Debian installations by default. Security updates are delivered immediately through that repository before they eventually filter down to the other relevant release repositories.

 

Bugs filed against software in the stable repository will be fixed while that release is still supported. (Debian Squeeze and Wheezy are both currently supported stable releases, designated oldstable and stable respectively.) However, due to the restrictions imposed on software in a stable release and given the finite amount of time package maintainers have to work on their packages, only bugs marked "severe" and "release-critical" are likely to be fixed in stable releases. If bugs with lower severity are still relevant to the version of the package available in Debian Testing or Unstable, the package maintainer is much more likely to fix them so they will make it into the next stable release. (Therefore filing bugs of any severity is not futile.) Since the severity of bugs is so important to release tracking, as you can see from my brief description, package maintainers and the Security Team reserve the right to change the severity of any bug at their discretion. Unfortunately users occasionally file bugs with a much higher priority than they deserve just so the bug will be looked at. The maintainer of the affected package is assumed to have a much greater understanding of the internals of the software than the user and is hence allowed to change the severity of any bug filed against his package at his discretion. As a courtesy maintainers will often also comment on the bug explaining why the severity was changed. Similarly the Security Team sometimes needs to change the severity of a bug when it relates to a pending security vulnerability, for obvious reasons.

 

If you are interested in installing the latest version of LibreOffice on Debian Wheezy, you can do so through the backports repository. There is a backports repository provided for every Debian stable release for those who want the latest version of select packages. It is up to the maintainers of each package to decide whether they want to include their package in the backports repository, although many do for popular packages (such as LibreOffice and VLC). Packages in backports then track the version of that package in testing. This helps to ensure that a stable installation with backports installed will be cleanly upgradeable to the next stable release. However APT default policy dictates that even after adding the backports repository to your installation, software from it will not be automatically installed. You have to manually install it by temporarily giving packages in backports priority via your APT front-end. For example, you could install (or upgrade) LibreOffice in Wheezy from backports using apt-get as follows: sudo apt-get install -t wheezy-backports libreoffice. Once software is installed from backports it will track new releases in backports by default. So following the previous example, when a new version of LibreOffice is added to Wheezy Backports it will be installed with your system updates with no further intervention required.

 

I hope my answer satisfied your curiosity. If not, feel free to ask me more questions. I have some understanding of Debian's internal procedures from the perspective of a package maintainer.

  • Like 1
Link to comment
Share on other sites

Is there any way to track version numbers in backports?

 

Do you mean install new software from backports by default? You can do that via your APT preferences. For example, a simple /etc/apt/preferences that gives packages in backports equal priority to packages in stable would look something like the following:

 

Package: *
Pin: release a=wheezy
Pin-Priority: 600

Package: *
Pin: release a=wheezy-updates
Pin-Priority: 600

Package: *
Pin: release a=wheezy-backports
Pin-Priority: 600
Link to comment
Share on other sites

This topic is now closed to further replies.