Explanations about the ELTS cost estimation
We have been doing security support of Debian packages since 2014 so we have a long history of data that lets us estimate the workload (and thus cost) required to keep each package secure.
We also have historical data of our customers so we know which packages are the most popular among our customers. We use this data to define the “per customer cost” of each package based on their expected popularity. At the same time, we also know that the number of ELTS customers is decreasing over time because some customers have finished migrating their servers or reached the end-of-life of their own product.
We have combined all those data to build a cost estimation model so that when a prospect submits us a package list to support, we can quickly provide a cost estimation for the whole support period that they need.
What is included in the cost estimation
The cost estimation combines two parts:
- a fixed amount per semester that covers the cost of our infrastructure and of the maintenance of all the “base packages”.
- a variable amount per semester that covers the cost of maintaining all the packages used by the customer
The part of the price that covers the maintenance of the packages will grow each semester. During the first 2.5 years, the price increase will be moderate (around 10% each time) but it will be more important in the last 2.5 years.
Examples of a cost estimation
The below examples have been made for Debian 10 Buster. The figures and package lists may vary for other Debian releases.
A small container with a web service
In this example, we ran debootstrap and then installed Apache 2, PostgreSQL and PHP. This resulted in this package list.
The associated cost estimation looks like this:
Your list of packages to support in Debian buster contains 150 packages.
Among those there are 0 packages that Freexian will not support (see the warnings.csv file for details). Among the 150 packages that we can support, there are 84 that have an history of security vulnerabilities.
The price for each semester consists of a fixed sum (covering the cost of the base system and infrastructure costs) and of a variable amount depending on the cost of your packages (you can have some details about the price of each package in the initial period in the packages-cost.csv file) and of the time elapsed.
The price increase tries to model the loss of customers over time, it’s a slow increase over the first half of the ELTS period and a steep increase afterwards because the bulk of the customers will have migrated to another Debian release at that time.
- 2024-H2: 3675 EUR
- 2025-H1: 4095 EUR
- 2025-H2: 4515 EUR
- 2026-H1: 4935 EUR
- 2026-H2: 5355 EUR
- 2027-H1: 6930 EUR
- 2027-H2: 8505 EUR
- 2028-H1: 9975 EUR
- 2028-H2: 11550 EUR
- 2029-H1: 13020 EUR
An embedded product
In this example, we used debian installer in a virtual machine: we installed the “standard” and “OpenSSH server” tasks, then manually installed curl, busybox, ntp and openjdk-11-jre. This resulted in this packagelist.
The associated cost estimation looks like this:
Your list of packages to support in Debian buster contains 302 packages.
Among those there are 1 packages that Freexian will not support (see the warnings.csv file for details). Among the 301 packages that we can support, there are 129 that have an history of security vulnerabilities.
[…]
- 2024-H2: 4830 EUR
- 2025-H1: 5355 EUR
- 2025-H2: 5880 EUR
- 2026-H1: 6405 EUR
- 2026-H2: 7035 EUR
- 2027-H1: 9555 EUR
- 2027-H2: 12180 EUR
- 2028-H1: 14700 EUR
- 2028-H2: 17220 EUR
- 2029-H1: 19740 EUR
The associated warnings.csv file only mentions that “linux” is not supported and that one should use our backport of a newer kernel.