[Nix-dev] Stable NixOS releases

Alessio Igor Bogani alessioigorbogani+nixos at gmail.com
Tue May 21 12:25:04 CEST 2013


Hi All,

On 21/05/2013 06:49, Nicolas Pierron wrote:
[...]
> Having a release cycle larger than the release cycle of the packages
> is a security issue.
[...]
> then we should better constantly follow the latest release instead of keeping
[...]
> because this version will have no more security updates.
>
> Then I don't think that we want to maintain our own version of
[...]
> by back-porting security patches to an older version.  Doing so would
> imply way more work, by people who are not necessary familiar with the
> code.

I removed "Firefox" word from Nicola's statements to highligth that
these are true for *every* package available through *all* distributions.

> - What can we do?

Follow upstream authors. We don't have enough
man power, technical skill, bank account to provide security updates for
thousands of  packages. Moreover there is no way we can do to converge
all upstream authors to our release cycle.

After all they (upstream authors) know better (and in effect they
already arrange their work with) their users' needs:
For example web browsers are released very often to keep up with fast
moving web technologies instead of databases which aren't released often
providing also maintenance on old versions.

We have to follow them no more than that.

IMHO Any other approaches can create far more problems than they try to
resolve.

Ciao,
Alessio


More information about the nix-dev mailing list