[GLLUG] Ubuntu versus Debian (was: Re: GLLUG still alive?)

John Edwards john at cornerstonelinux.co.uk
Tue Aug 13 20:22:12 UTC 2024 

Hi


On Tue, Aug 13, 2024 at 08:00:34PM +0100, Carles Pina i Estany via GLLUG wrote:
> On 13 Aug 2024 at 16:18:59, John Edwards via GLLUG wrote:
>> ps. I've been tempted a couple of times to post about the ongoing
>> problems with Canonical not updating packages which have already been
>> fixed in Debian, but that would just be a rant and I don't
>> particularly want to start a flame war in hot weather.
> 
> which, I would like to ask: which reasons (I'm sure that you have
> reasons!) do you have to use Ubuntu instead of Debian?
<snip>

(Somebody had to ask, so I'll try to avoid making this too ranty)


Back when the decision was made at work (2006 I think), Ubuntu had a
5 year long term support and Debian did not have a stable release
schedule (although it does now).

But recently we have found that even though packages are within
support in Ubuntu, fixes which have been made by Debian are not
backported.

One of those was a critical bug in cyrus-imapd which prevented the
main command line tool cyradm from working. It took 20 months before a
fixed packages was released:
	https://bugs.launchpad.net/ubuntu/+source/cyrus-imapd/+bug/1971547/

It was a simple fix to do with library dependencies, which had been
already been fixed in Debian months *before* the Ubuntu package was
released:
	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000034

Also serious security vulnerabilities in packages such as Roundcube
are still not being fixed (year+), even though they are in Debian.

So we've ended up having to backport packages from Debian, at which
point we thought we may as well use Debian.

Yes, these packages are in the Ubuntu "universe" rather than the
"main" repository and are supposed to be community maintained, but
community users can not upload to the release repositories (only their
own repositories) so most people do not get to see those fixes unless
they carefully read the bug reports, and so end up with broken or
vulnerable software.

I'm not sure if this is lack of staff within Canonical or a breakdown
between them and the wider community.

And to add insult to injury Ubuntu now pridely displays a message at
every login telling you how many packages you have installed for which
you will not get any security updates unless you sign up for Ubuntu
Pro.

To my mind, the packages are there, the work is already been done,
mostly by people not employed by Canonical, so to release vulnerable
software and not fix it is rather unethical.

Clearly Canonical consider Ubuntu Pro to be the way forward for them
as a business (and it may work for them as a business) but I suspect
they will be following the same road Red Hat have taken.


ps. As a business, the company I work for did used to pay Canonical
for Ubuntu support many years ago. But they don't any more (lack of
quality and poor response times).



-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
#---------------------------------------------------------#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20240813/dc209ef6/attachment.sig>

More information about the GLLUG mailing list