On 30/01/2021 21:16, Andy Smith wrote:
I don't think you have "standard security
support" on anything in
"universe", only in "main" - ever. As far as I understand Ubuntu
security updates for packages in "universe" are best effort by the
community, not by the Ubuntu Security Team.
https://wiki.ubuntu.com/SecurityTeam/FAQ
or have I misunderstood?
I'm probably the one misunderstanding. :-)
It doesn't change my reasoning much though - "best effort" means that
effort is more likely to boil down to "upgrade to the newest LTS" rather
than backporting a patch. Best practice should be to be on a supported LTS.
In my experience very few people understand about
"main" vs
"universe" and "multiverse". I might be one of them.
Once again I will say that CentOS's straightforward 10 year support
promise was one of the reasons why people liked it. But
understandably that was a lot of work for Red Hat.
Yeah, although the downside is that it some projects just don't work
over such a timescale anyway. I have some CentOS servers I inherited at
work, and noticed one hadn't been updated for a long time. So I did an
update, which broke a PHP based website. I soon discovered that the
website used a very old PHP bytecode cache/accelerator configuration
that was no longer supported - and hadn't been for years. Fortunately it
was an easy fix - disable the accelerator, which was possible because
the website has very little traffic these days so it wasn't needed.
In the interests of balance, plenty of CentOS servers also updated
without issue. But it's plainly not guaranteed.
I think that the pace of many projects mean that assuming support for
longer than four to five years is probably unrealistic anyway. There are
some very mature and static projects that are less likely to have
breaking fixes - typically infrastructure like DNS/DHCP/mail servers/web
servers. But those servers should still be reviewed every few years,
just to ensure that their configuration meets modern norms. Leaving a
server in a metaphorical corner and hoping it's still fine is probably
not a good strategy...
Regards,
Phil