-------------------------------------------------------------------------
The Debian Project http://www.debian.org/
Security Support for Debian 4.0 to be terminated press@debian.org
January 21st, 2010 http://www.debian.org/News/2010/20100121
-------------------------------------------------------------------------

Security Support for Debian GNU/Linux 4.0 to be terminated on February 15th


One year after the release of Debian GNU/Linux 5.0 alias "lenny" and
nearly three years after the release of Debian GNU/Linux 4.0 alias "etch"
the security support for the old distribution (4.0 alias "etch") is
coming to an end next month. The Debian project is proud to be able to
support its old distribution for such a long time and even for one year
after a new version has been released.

The Debian project released Debian GNU/Linux 5.0 alias "lenny" on the
15th of February 2009. Users and Distributors have been given a one-year
timeframe to upgrade their old installations to the current stable
release. Hence, the security support for the old release of 4.0 is going
to end in February 2010 as previously announced.

Previously announced security updates for the old release will continue
to be available on security.debian.org.


Security Updates
----------------

The Debian Security Team provides security updates for the current
distribution via <http://security.debian.org/>. Security updates for the
old distribution are also provided for one year after the new
distribution has been released or until the current distribution is
superseded, whatever happens first.


Upgrading to Debian 5.0 alias "lenny"
-------------------------------------

Upgrades to Debian GNU/Linux 5.0 from the previous release, Debian
GNU/Linux 4.0 alias "etch" are automatically handled by the aptitude
package management tool for most configurations, and to a certain degree
also by the apt-get package management tool. As always, Debian GNU/Linux
systems can be upgraded painlessly, in place, without any forced
downtime, but it is strongly recommended to read the release notes[1] for
possible issues, and for detailed instructions on installing and
upgrading.

1: http://www.debian.org/releases/lenny/releasenotes

Doesn't seem like supporting 4.0 for only a year after the 5.0 release is much of an accomplishment, sounds like the exact opposite to me, so I'm not sure why they appear to be boasting about it.

I agree. One year of support for old version would suck if you were using this for your business.

Heck even Fedora which is bleeding edge rolls out new copies every 6 months but maintains the previous one for around a year.

Most commercial UNIX variants support the current and previous major release. RedHat Linux is still supporting RHEL 4 even though RHEL 5 was released in 2007.

Just remember how many different architectures Debian supports.
It's not just a case of supporting i386 and Amd64 for a year after the current release.

http://www.uk.debian.org/distrib/netinst

Maintaining all the above is a huge undertaking especially for a non-commercial organization like Debian.

Etch was released April 2007, so that's almost 3 years of support (roughly comparable to the LTS releases of Ubuntu). The Debian release and support schedule is well-publicized; there is no reason to be surprised or alarmed by this announcement.

2 members found this post helpful.

Only if your distrubtion is using a package manager (+packages and repositories) that can't handle upgrades, like "Most commercial UNIX variants" do

Well the arch point is valid during the active phase of development, but is there really any reason that long term security support couldn't be maintained for the key architectures?

Realistically, 80% - 90% of the Debian users are going to be using the 2 or 3 primary architectures. I wouldn't expect anyone to complain about not supporting PPC past 4 years, but i386 is a very different story.

Time and resources.
Not only do the the developers have to maintain the Stable distribution,there's still Testing and Unstable that need constant development on all architectures.The line has to be drawn somewhere.Debian have decided that the line is one years support on the Oldstable distribution.

So realistically you are looking at approximately a three year lifespan for a release.
Not bad for volunteers i feel .

It has little to do with how you update packages and much to do with the 3rd party and in house applications you use on the system that prevent most upgrades. I had a RHEL 3 system for 4 years that I couldn't just thrown RHEL 4 onto not because of the differences in RHEL itself but because the database and apps would have needed to be upgraded by other teams in tandem with such an OS upgrade. This isn't unique to where I am but is true in most organizations. Its a question of allocating man power to projects. Upgrading for the sake of upgrading is seldom deemed an important driver by the powers that be.

Etch was supported for 3 yrs, more than enough time to rewrite any software that depends on newer versions.

Sadly, I can't agree with that.
Most of the software jlightner was referring to is very expensive and you don't always want to upgrade that unless strictly needed.

RHEL does have an advantage here.

On the long run, I do prefer debian though.
Yum isn't yummy and their "big version" updates just don't work (RHEL support is excellent, but eventually your software will become to old as well).