Debian's long-term support experiment

Well Supported

© Lead Image © elwynn, 123RF.com

© Lead Image © elwynn, 123RF.com

Article from Issue 194/2017
Author(s):

The Debian project is extending its famous development process to offer long-term support.

Debian Linux, which calls itself "The Universal Operating System," is a huge and popular Linux variant. Debian was one of the first Linux distributions, and it remains one of the largest, with over 43,000 software packages. Unlike many other leading Linux distros, Debian is not backed directly by a company, and it is managed democratically by the many volunteers who populate the Debian mailing list.

Despite its reputation as an all-free, counter-cultural collection for hackers, Debian is also quite stable and reliable, which makes it a viable option for many corporate networks. But after many years of Linux in the enterprise, admins have a pretty clear idea of what they want: a system that will operate for several years without requiring an upgrade. Rolling out a new operating system in the enterprise can take many months, and the process is quite complex and prone to complications. Better to make such events as infrequent as possible.

In 2014, the Debian developers woke up and realized the recent trend for Long-Term-Support (LTS) releases had left them behind. Because Debian is not backed by a company that can make money on selling support contracts (like SUSE, Red Hat, and Canonical), they had never gotten around to implementing some form of long-term support.

Before 2014, each Debian release was supported for one year beyond its "end of life," which was heralded by a new release. That support mainly meant integrating and providing security updates and bug fixes. Since Debian released a new version approximately every two years, the traditional Debian release schedule meant that each new version would be maintained for three years.

A three-year support period is too short for many companies. When Ubuntu, which is based on Debian, began to offer an LTS edition, the option of running Debian in the enterprise started to lose its appeal, and companies began to migrate to other systems. For example, in 2014, Spotify migrated 5,000 servers from Debian to Ubuntu LTS [1]. Red Hat and Suse also offer LTS editions that appeared to have snatched some of Debian's thunder.

To regain momentum in the enterprise space, the Debian security team decided in February 2014 [2] to experimentally release Debian LTS for then-current Debian 6 "Squeeze." The plan was to extend the support period from three to five years for Debian 6, 7, and 8 (Figure 1). The main problem: The approximately 1,000 official Debian developers were stretched to full capacity with what they were doing already.

Figure 1: The new extended support period provides two additional years of updates for each Debian release.

The need for additional developer hours resulted in the idea of asking companies (and users who are interested in the long-term support for Debian) to remunerate individual developers directly on an hourly basis for working on LTS updates. The extended support was initially only offered for x86 systems with 32-bit and 64-bit architectures; the support now includes the armel architecture and armhf for "Wheezy" (see Table 1).

Table 1

Debian LTS Support Period

Version

Supported architectures

Period

Debian 6 "Squeeze"

i386, amd64

up to 29 February 2016

Debian 7 "Wheezy"

i386, amd64, armel, armhf

up to 31 May 2018

Debian 8 "Jessie"

i386, amd64, armel, armhf (possibly others)

May 2018 up to April/May 2020

Debian 9 "Stretch"

i386, amd64, armel, armhf (possibly others)

2020 up to 2022

Debian's LTS support does not include support for all of the software: Around 40 packages in the web application and virtualization sector are excluded, since support for these tools cannot be guaranteed for the entire period. These tools include web browsers and applications such as KVM or Xen. The debian-security-support package automatically monitors the status during each package installation and informs the user.

After completing the preparatory work, the then-current Debian 6 "Squeeze" became Debian's first LTS version. Its successor, Debian 7, has a correspondingly long support period: "Wheezy" was released in Spring 2013, and its support does not end until 31 May 2018. Currently, Debian is planning to offer Debian LTS support for the still-current Debian 8 "Jessie." The same applies to Debian 9 "Stretch," which will probably ship in the spring of 2017.

One-Stop Shop

The infrastructure for handling LTS tasks is provided by Freexian [3], a consulting company operated by French Debian Developer Raphaël Hertzog. Hertzog publishes a monthly report on the current status, the tasks taken, and the hours worked by the individual developers. Any developer who receives money for work on Debian LTS is required to submit a report on a monthly basis.

The first official paid work for Debian LTS [4] was completed in July 2014. The report published at the time [5] showed 21 hours for two developers; the following month, the two developers had already contributed 32 hours. Two years later, in September 2016, the figures grew to 152 hours provided by 13 developers [6].

A text file on the Debian website provides an overview of the outstanding LTS work [7]. This file includes activity on packages, which sponsors are allowed to prioritize. As the number of sponsored hours increases, sponsors can book direct contact with the developers. It is also possible to apply test suites to cover the specific needs of each sponsor during updates of prioritized packets.

A developer hour costs the sponsor US$75, plus the administration costs for Freexian (Figure 2). To be eligible to contribute to Debian LTS as a developer, the candidate must be a Debian developer or Debian maintainer and prove that he or she has already released security updates for Debian.

Figure 2: Prices and services for Debian LTS.

Technically Simple Solution

Debian LTS was created as an additional repository that users needed to add to the source list, /etc/apt/sources.list or /etc/apt/sources.list.d/, as well as to the Apt configuration. Today Debian LTS is instead updated through the normal security repository:

http://security.debian.org/ wheezy/updates main

The transition from Debian "stable" to Debian "unstable" thus only triggers a team change in the background: The security team that ensured the release of security updates during the release's lifetime hands the responsibility over in the background to the LTS team at the end of the support period. Nothing changes for the user, who simply installs the usual security updates via the package manager.

Conclusions

The success of Debian LTS proves that Debian is still a preferred candidate for the enterprise due to its proverbial stability and well- respected security policy. The list of sponsors currently includes 38 companies. The list extends from major league players such as Toshiba and GitHub down to smaller sponsors like Linux Hotel or hoster BitFolk. Debian itself trusts in its system and has already promised long-term support for Debian 9 "Stretch," which will not take effect before 2019.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News