[arch] arch-stable

Sun Dec 10 07:52:13 EST 2006

2006/12/10, RedShift <redshift at pandora.be>:
> Hi everyone
>
> Since I have been starting my webhosting company I have also been
> seeking for a good server distribution. I have searched and looked at
> all the server type distributions on distrowatch but none of them
> appealed to me. Arch's simplicity makes it a breeze to maintain and
> debug. Not to mention all those rpm based distributions these days, but
> that is beyond the scope of this email.
>
> However, arch has one problem. It does not have a stable repository. And
> the release repo is only a snapshot of current while a lot of other
> server software (like postfix) is contained in extra.
>
> Therefore I'm calling out to people who are willing to work with me on
> an arch stable repository. Upon a new release, the packages would be
> mirrored to the arch-stable tree. From there on only packages that have
> security issues are updated. So if apache were to release 2.2.5 and the
> one in release is 2.2.4, arch-stable would *only, and only then* emit a
> new package if 2.2.4 would contain security issues that are fixed in
> 2.2.5. Thus very similar other distributions "stable", release version
> packages + critical updates.
>
> Is anyone interested in this?

This scheme is the main reason why I hate Debian's "stable" packages.

For example they have php 4.3.10-x while the last stable is php 4.4.x.
For hosting having the latest (or at least the latest from previous
branch) version of PHP is important, IMHO, because besides security
fixes there are _functionality_ fixes/changes (I don't mean
_new_features_ here, only fixes/changes to how things work).
IMO old version + security fixes is not always more "stable" than new
version with those fixes already included. Of course I wouldn't use
php 6.0 after few days of release, but now 5.1.x/5.2 receive more
attention (and thus - fixes) than 4.4.x. Plus, there is php-suhosin
from hardened-php.net.

About "stable" Apache - honestly, I don't think 2.2.5 is less stable
than 2.2.4+fixes just because there are few new features.

Anyway when new security issue is found in some package - in most
cases it exists in old versions too, so security and age of software
version are not in close correllation.

IMHO "older is stabler" is a myth, created by Debian/Slackware guys.
There should be common sense when separating software to "stable" and
"unstable".
Of course new x.y.0 verions usually contain bugs, but almost all of
them are not related to security, and most of them are not related to
existing functionality, only newly implemented features. Usually
software is "stable" from version x.y.3 (for example).

To summarize:
IMHO it's not worth to create Stable repo of all Current/Extra, but
creating some unofficial repo with all packages needed for hosting
with those versions that you consider "stable" is nice idea.
You'll have some set of packages that you'll be sure are "stable" and
have all security patches applied. And you may wait until some package
stabilizes while not upgrading to the new "unstable" version in
Current/Extra.

Putting [hosting] repo above [current] and [extra] in pacman.conf will
do the job.

-- 
Roman Kyrylych (Роман Кирилич)