9:59:59.000,9:59:59.000 [Talkmeister]: Welcome, our next talk will[br]be about the Debian Long Term support 9:59:59.000,9:59:59.000 team and the speaker is[br]Raphaël Hertzog. 9:59:59.000,9:59:59.000 [Raphaël Hertzog]: Hello. 9:59:59.000,9:59:59.000 Today I will speak a bit about Debian[br]long term support. 9:59:59.000,9:59:59.000 I guess most of you already know about[br]it. 9:59:59.000,9:59:59.000 Are there some people who have no[br]idea what this is about? 9:59:59.000,9:59:59.000 No, good. 9:59:59.000,9:59:59.000 I will make my talk in 3 parts. 9:59:59.000,9:59:59.000 First I will present the team, how it[br]works 9:59:59.000,9:59:59.000 I will give some facts about how it[br]evolved over the first years. 9:59:59.000,9:59:59.000 I took some time to collect statistics[br]and believe they are rather interesting 9:59:59.000,9:59:59.000 I will also speak about the future 9:59:59.000,9:59:59.000 but there will be a separate discussion[br]about this in a BoF later this week. 9:59:59.000,9:59:59.000 I will show you how to help because, like[br]any other team in Debian it is open 9:59:59.000,9:59:59.000 to anyone. We welcome help. 9:59:59.000,9:59:59.000 At the end I will answer your questions. 9:59:59.000,9:59:59.000 What is LTS about? 9:59:59.000,9:59:59.000 The idea is really simple. 9:59:59.000,9:59:59.000 We wanted to extend the support period[br]of all Debian releases. 9:59:59.000,9:59:59.000 Currently it is basically for 1 year after[br]the next stable release comes out. 9:59:59.000,9:59:59.000 We wanted to extend this to 5 years to[br]match, at least, Ubuntu's offering. 9:59:59.000,9:59:59.000 which is not our competitor, but for the[br]companies that are making choices 9:59:59.000,9:59:59.000 it is one of the important criteria.[br]So we wanted to do as well. 9:59:59.000,9:59:59.000 Since we publish new stable releases[br]every 2 years it is roughly 3 years. 9:59:59.000,9:59:59.000 A nice side benefit is that the user can[br]skip a full release. 9:59:59.000,9:59:59.000 We don't officially support dist-upgrade[br]over going from Debian 6 to 8 9:59:59.000,9:59:59.000 but you can do 2 dist-upgrades at[br]the same time, limiting the downtime 9:59:59.000,9:59:59.000 to once every 5 years. 9:59:59.000,9:59:59.000 By the way, in practice, in simple server[br]configurations, dist-upgrades tend to 9:59:59.000,9:59:59.000 work rather well even across 2 releases. 9:59:59.000,9:59:59.000 Keeping a distribution secure for 5 years[br]is a real challenge. 9:59:59.000,9:59:59.000 It is hard work that not everybody is[br]willing to do. 9:59:59.000,9:59:59.000 In Debian all the work is done by[br]volunteers who do the work they enjoy. 9:59:59.000,9:59:59.000 Generally we enjoy working on new[br]features on top of latest releases 9:59:59.000,9:59:59.000 and not really on backporting patches to[br]crud that was written 5 years ago. 9:59:59.000,9:59:59.000 The security team has limited resources[br]so we could not just ask the security 9:59:59.000,9:59:59.000 team to now do twice the work. 9:59:59.000,9:59:59.000 But they were still really interested in[br]the project and wanted to support the idea 9:59:59.000,9:59:59.000 and really helped to get it bootstrapped. 9:59:59.000,9:59:59.000 The security team has a slightly larger[br]scope. 9:59:59.000,9:59:59.000 They support all architectures, which[br]means you have lots of problems of 9:59:59.000,9:59:59.000 coordination when security updates do[br]not compile and stuff like that. 9:59:59.000,9:59:59.000 What did we do? 9:59:59.000,9:59:59.000 We restricted the scope by picking[br]the 2 most popular architectures 9:59:59.000,9:59:59.000 that most users care about.[br] 9:59:59.000,9:59:59.000 We have had some demand for ARM[br]architectures but up to now we only 9:59:59.000,9:59:59.000 support amd64 and i386. 9:59:59.000,9:59:59.000 We also excluded some packages from[br]security support. 9:59:59.000,9:59:59.000 Either because they are taking too much[br]time, like a security issue every 2 weeks 9:59:59.000,9:59:59.000 or that upstream is not cooperative[br]enough to be able to support it. 9:59:59.000,9:59:59.000 This list was basically made by the[br]current security team based on their 9:59:59.000,9:59:59.000 experience of doing security support. 9:59:59.000,9:59:59.000 If you look at the list there are some[br]important restrictions. 9:59:59.000,9:59:59.000 There's no xen, no kvm, no rails,[br]no browser. It sucks a bit. 9:59:59.000,9:59:59.000 But it's a way to get it started. 9:59:59.000,9:59:59.000 I think we can do better for wheezy. 9:59:59.000,9:59:59.000 Basically there is no virtualization[br]support on the host, only on the guest. 9:59:59.000,9:59:59.000 The security team helped to bootstrap[br]the LTS team but it is not the same team. 9:59:59.000,9:59:59.000 Obviously there are members of the[br]security team who also work on the LTS 9:59:59.000,9:59:59.000 team. They work in close collaboration. 9:59:59.000,9:59:59.000 We have regular contact and they watch our[br]mailing lists etc. 9:59:59.000,9:59:59.000 But the policies are different and the[br]infrastructure is separate, 9:59:59.000,9:59:59.000 which is a problem but I will talk about[br]that later. 9:59:59.000,9:59:59.000 We have a dedicated mailing list 9:59:59.000,9:59:59.000 and a dedicated IRC channel as well. 9:59:59.000,9:59:59.000 You are welcome to subscribe and to[br]join. 9:59:59.000,9:59:59.000 It's a new team which means new people[br]and new members. 9:59:59.000,9:59:59.000 Where do they come from? 9:59:59.000,9:59:59.000 The first idea was to get help from[br]people in various companies 9:59:59.000,9:59:59.000 who are already doing such in-house[br]support. 9:59:59.000,9:59:59.000 We had contact with EDF, and still have,[br]but they were one of the first 9:59:59.000,9:59:59.000 companies who were pushing for this[br]because they basically said 9:59:59.000,9:59:59.000 we are doing this already and we can[br]share with other companies. 9:59:59.000,9:59:59.000 The idea was to pool security support of[br]multiple companies. 9:59:59.000,9:59:59.000 We sent a press release asking[br]companies to join. 9:59:59.000,9:59:59.000 We had a few responses. 9:59:59.000,9:59:59.000 But I'll come back later to how it evolved[br]It's not really satisfying. 9:59:59.000,9:59:59.000 The other thing that we did is that we[br]offered companies the option to 9:59:59.000,9:59:59.000 fund the project to bring money and use[br]this to pay the work of 9:59:59.000,9:59:59.000 actual Debian contributors to do the[br]security updates that we need. 9:59:59.000,9:59:59.000 We have wiki pages listing all the ways[br]that companies can help with money. 9:59:59.000,9:59:59.000 In practice, most of the (wanting to be)[br]paid contributors joined together 9:59:59.000,9:59:59.000 under a single offer managed by[br]Freexian SARL which is my own company. 9:59:59.000,9:59:59.000 I'll quickly explain how this works. 9:59:59.000,9:59:59.000 Most companies don't want to bother[br]bringing human resources ??? (08:25) 9:59:59.000,9:59:59.000 They buy long term support contracts[br]from Freexian. 9:59:59.000,9:59:59.000 We have a rate. When you give €85 you[br]fund 1 hour of LTS work. 9:59:59.000,9:59:59.000 This is the current list of sponsors. 9:59:59.000,9:59:59.000 Top level gold sponsors sponsoring[br]more than 1 day of work per month. 9:59:59.000,9:59:59.000 On the other side we have Debian [br]contributors that are doing the work 9:59:59.000,9:59:59.000 and Freexian is paying them. There is a[br]small difference between the rate 9:59:59.000,9:59:59.000 to cover administration costs because I[br]have to handle the invoices 9:59:59.000,9:59:59.000 and some customers are using Paypal[br]which is taking a cut. 9:59:59.000,9:59:59.000 We ask contributors to follow some rules. 9:59:59.000,9:59:59.000 There is a requirement to publish a[br]monthly report on work done 9:59:59.000,9:59:59.000 on paid time. So they won't get paid until[br]they have published a report. 9:59:59.000,9:59:59.000 So everybody can know how the money[br]has been spent. 9:59:59.000,9:59:59.000 Currently we have 7 Debian contributors[br]and about 30 sponsors. 9:59:59.000,9:59:59.000 Some figures. 9:59:59.000,9:59:59.000 Who uploaded packages?[br]How has it evolved since June last year? 9:59:59.000,9:59:59.000 How is the funding evolving? 9:59:59.000,9:59:59.000 I just updated those figures a few[br]days ago. 9:59:59.000,9:59:59.000 I used this talk before at the mini[br]DebConf in Lyon in March, 9:59:59.000,9:59:59.000 but I updated it again. 9:59:59.000,9:59:59.000 The number of uploads is roughly over[br]one year since we started last year. 9:59:59.000,9:59:59.000 Over 300 uploads so it is not so much[br]but it is almost 1 per day. 9:59:59.000,9:59:59.000 So it is significant work. 9:59:59.000,9:59:59.000 I have given a state here of who paid[br]for the work and who did it on the left 9:59:59.000,9:59:59.000 The sponsors of Freexian are paying for[br]most of the uploads. ??? 9:59:59.000,9:59:59.000 None is a separate category grouping all[br]Debian maintainers. 9:59:59.000,9:59:59.000 There are maintainers who are taking[br]care of their own packages in LTS. 9:59:59.000,9:59:59.000 Security team is members of the security[br]team who also work within the LTS team. 9:59:59.000,9:59:59.000 EDF is Électricité de France 9:59:59.000,9:59:59.000 Individuals are Debian developers that[br]have listed themselves as members of 9:59:59.000,9:59:59.000 the LTS team and did uploads for packages[br]of other maintainers not their own. 9:59:59.000,9:59:59.000 Credativ is a German company that you[br]probably know. 9:59:59.000,9:59:59.000 They have a booth here if you want a[br]job. 9:59:59.000,9:59:59.000 Toshiba, Univention, Catalyst etc[br]are other lower ??? 9:59:59.000,9:59:59.000 On the right are people. The top 5 people[br]are paid by Freexian. 9:59:59.000,9:59:59.000 Raphaël Geissert is working for EDF. 9:59:59.000,9:59:59.000 Thijs is a member of the security team. 9:59:59.000,9:59:59.000 Kurt is openssl maintainer ??? 9:59:59.000,9:59:59.000 Mike Gabriel is also paid by Freexian. 9:59:59.000,9:59:59.000 Christoph Bieldl is mainly maintaining[br]the debian-security-support in Squeeze LTS 9:59:59.000,9:59:59.000 Nguyen Cong is employed by Toshiba. 9:59:59.000,9:59:59.000 Christoph Berg is employed by creditv[br]doing postgresql maintainence. 9:59:59.000,9:59:59.000 How did it evolve over the year? 9:59:59.000,9:59:59.000 (13:04)