Thomas Nybergh

Late last month, the Debian GNU/Linux project announced that security patch support for the old stable release, 3.1 (codename Sarge), will end on the last day of March. Many people will be using servers, integrated and other special systems with Sarge for a long time to come, without applying any patches, and I’m afraid I’ll have to count myself as one of them. Dreamhost, my current web host, hasn’t, as of today, openly discussed any plans to upgrade to the current stable, Etch. Someone on #dreamhost (FreeNode) told me that delayed upgrades from outdated Debian versions have occurred before.

Widely used free operating systems with short support cycles (6 months to 3 years) include Fedora Linux, Opensuse, regular Ubuntu and FreeBSD releases. Debian releases are supported until one year after the release of a new stable version, which in the case of Sarge has been the period between June 6 2005 and March 31 2008, slightly less than 3 years.

Not everybody needs long support cycles.  I’m sure that it’s perfectly reasonable, in some server environments, to use bleeding edge OS releases and upgrade between these often, but once one starts looking at version numbers, it’s easy to spot web servers running ancient versions of BSDs and Linux distros.

Having observed hosting providers for some time, including the last year during which I’ve worked for one, I’ve often wondered why businesses keep using OS releases with short term support in situations where everybody knows that a stable platform is needed for a longer time. There are some alternatives with sensible support periods: Centos is a free giveaway of Red Hat Enterprise Linux’s massive 7 year support and througly tested compatibility with many commercial software packages. Some Debian users may be satisfied by Ubuntu’s Long Term Support releases with 3 years of support for desktops and 5 years for server software. Additionally, some hosting and virtualization control software like that of Pararells (previously SWSoft), a traditionally quite Red Hat centric market, is beginning to get support for e.g. Ubuntu.

Sure, in web hosting the big security threat is unpatched and badly configured server side scripts. This doesn’t, however, decrease some random sysadmin’s stress level the next time the background radiation of the Internet is filled with automated exploitation attempts targeted at newly discovered problems in BIND, Sendmail, OpenSSH, or some other essential piece of infrastructure. In addition to this, many web hosts allow Unix shell access, and as I understand it, if someone with bad intentions gains access to user accounts on a machine with insecure command line tools, an even larger attack surface is made available to exploit. Why are people doing this to themselves and their customers, when there are free long term patch supported server operating systems available?