Debian Long Term Support - Details

This page provides more information about the offer described on the Debian Long Term Support page.

1. The principle

As a project led by volunteers, it’s currently not possible for Debian to provide 5 years of security support to its official releases. At the same time, many Debian users would greatly benefit from such an extended period of support. In order to fix this, a few volunteers have initiated the Debian LTS project in 2014. This open project allowed any Debian developer to contribute security updates for the last version of Debian which is no longer supported by the official security team.

To make this a project a continued success, and to ensure that all future releases can be announced with 5 years of support from the start, we need the help of organizations that benefit from this extended support. There are basically two ways to contribute:

  • have people from your company join the LTS team, and allocate them time to work on security updates following the usual workflow of the team;
  • hire Debian developers so that they can spend time on preparing security updates for the current LTS version.

This page is about the latter. Several Debian developers who are willing to provide security updates for Debian on a paid basis got together and created the offer on this page. Freexian, a French company managed by Debian developer Raphaël Hertzog, is collecting money from all parties willing to financially support the LTS effort and is spending this money to hire the Debian contributors who are providing security updates.

Note that companies whose employees have provided a steady flow of contributions towards Debian LTS can also be thanked in the dedicated section. Get in touch if you are in that case and would like to be listed.

2. The goal

The goal is to ensure that we have the means to provide proper 5-year security support for every Debian stable releases, taking over from the Debian security team once it stops to maintain a given release. With 200 hours funded per month, we are doing a reasonable job covering the bulk of the packages but we are not doing much investment to improve the security infrastructure for the future. Also our usage of Debian resources is creating some strain on other Debian teams and we want to be able to give back to those teams to reduce the frictions. The goal has thus been raised so that we can do more than just providing security fixes.

Any surplus will be used to improve the security in Debian in coordination with the Debian Security Team. For example, we could invest in better infrastructure which would also benefit the standard security support, or we could work on proactive measures like adding automated tests to avoid regressions on packages that are regularly updated with security fixes. Another possibility is to work on additional security hardening.

3. The benefits

3.1 Prioritize packages that you rely on

Any contribution gives you the right to submit a list of packages that you rely on and that should be prioritized in terms of security support. The votes will be weighted by the amount of money contributed. To submit the list of packages, follow the steps outlined below.

On your Debian servers, run this command:

$ dpkg-query -f'${source:Package},${Package},${Version}\n' -W >`hostname`.pkglist

Then collect all your *.pkglist files and merge them with:

$ sort -u *.pkglist >final.pkglist

Then send the file final.pkglist to sales@freexian.com. Feel free to drop packages from the generated list to only keep those that truly matter to you.

3.2 Private mailing list to seek advice

If your funding level is at least Bronze 1, Freexian will subscribe the person listed as technical contact to a private mailing list that all contributing companies can use to discuss their needs and share their experience. The goal is to help everybody make the best usage of what Debian already provides and to identify possible improvements to make Debian an even better choice for the future.

While the mailing list offers privacy to its members, good ideas of improvements will be shared on the appropriate public mailing list of the Debian project.

3.3 Direct contact with LTS staff

If your funding level is at least Silver 1, you can submit your queries and requests about Debian LTS in general and/or any security update in particular to us. In the spirit of transparency and collaboration, we prefer if you submit those requests on the public mailing list and at the same time you send a copy to sales@freexian.com to let us know that you want a reply from us.

3.4 Submit your own test cases

If your funding level is Platinum, you can submit to us functional tests covering the set of packages that you care about, and we will run those tests on updated packages to detect undesired regressions (ideally before they are released). If you have special requests, or specific needs, we will evaluate them and see what we can come up with.

Details about how those functional tests must be submitted are still to be defined but we will likely require functional tests in the form of a Debian source package with DEP-8 automated tests.

3.5 Thanked as sponsor

If your funding level is at least Bronze 1, you can be publicly thanked for this in the dedicated section of this page. Contributing companies are ranked in 4 categories: bronze (the default), silver, gold and platinum.

Sponsors at the bronze level and higher can provide a logo that will be linked to the webpage of their choice. Logos will be re-sized to a maximum of 75x150 for bronze/silver level sponsors and 150x300 for gold/platinum level sponsors.

Frequently Asked Questions

For any question not answered here, please get in touch with us.

Can you support a release for more than 5 years?

Yes, please have a look at our Extended LTS project. It works differently than regular LTS but you can get security support for up to 10 years. Don’t hesitate to contact us with a package list to have a quote.

Is there VAT applied on Freexian invoices?

For French companies, yes, 20%. For EU companies that provide a valid VAT Number, no. For other countries, no.

Can I contribute as an individual and not as a company?

It’s possible but there are two issues: as an individual, Freexian must invoice you 20% of VAT, and we don’t accept amounts smaller than 255 EUR without VAT per year (because handling smaller amounts would cost us too much in terms of administrative overhead). If you want to contribute an amount bigger than this limit and if you don’t care about the 20% of overhead due to VAT, please feel free to send us back the subscription form and we will prepare the corresponding invoice for you.

Why is this organized by Freexian and not by Debian/SPI?

Because it’s much more difficult to organize this in the context of Debian proper. Paying Debian developers with Debian money is still a no-go, the last time it was attempted, it generated quite some dissent (see this article).

That said, this project has the support of Debian: it has been mentionned in the Debian press release announcing the first LTS release (which has been vetted by the Debian project leader itself) and in multiple other announces since then. It is also a Debian project since its inception happened on the debian-lts mailing list.

Who will prepare the security updates?

The following persons offered their services (by alphabetical order):

Name Email Debian login IRC nick
Abhijith PA abhijith@disroot.org abhijith bhe[m]
Adrian Bunk bunk@stusta.de bunk bunk
Anton Gladky gladky.anton@gmail.com gladk gladk_
Ben Hutchings ben@decadent.org.uk benh bwh
Chris Lamb chris@chris-lamb.co.uk lamby lamby
Dominik George nik@velocitux.com natureshadow Natureshadow
Emilio Pozuelo Monfort pochu27@gmail.com pochu pochu
Enrico Zini enrico@enricozini.org enrico enrico
Guilhem Moulin freexian@guilhem.se guilhem guilhem
Helmut Grohne helmut.grohne@subdivi.de helmutg helmut
Holger Levsen holger@layer-acht.org holger h01ger
Markus Koschany markus@koschany.net apo apo
Ola Lundqvist ola@inguza.com opal opal
Raphaël Hertzog raphael@freexian.com hertzog buxy
Roberto C. Sánchez roberto@connexer.com roberto el_cubano
Stefano Rivera freexian@rivera.za.net stefanor tumbleweed
Sylvain Beucler beuc@beuc.net beuc Beuc
Thorsten Altenholz squeeze-lts@alteholz.de alteholz ta
Tobias Frost tobi@frost.de tobi tobi
Utkarsh Gupta guptautkarsh2102@gmail.com utkarsh2102 utkarsh2102

For the sake of transparency, they bill their work to Freexian at a pre-defined rate of 85 EUR/hour (less than what is billed to sponsors, the difference covers Freexian’s administrative costs).

This list can evolve over time.

I have a concern about the quality of the work and/or the behaviour of one of the paid developers. What should I do?

Contact Raphaël Hertzog and express your concerns. Please provide all the elements backing up your concerns. We are committed to do high quality work without disrupting the Debian community in any way and want to know when we do not live up to our promise.

I would like to join the team of contributors paid to handle security updates. Is it possible?

Yes, if you meet the following requirements:

  • you are a Debian developer or a Debian maintainer;
  • you have some prior experience with providing security updates in Debian (at least on your own packages);
  • you have good programming skills and know multiple languages (to be able to backport security fixes);
  • you can emit invoices to Freexian;
  • you accept the rules defined for this project (see below for details).

If you meet all the requirements, then contact Raphaël Hertzog and Anton Gladky to apply. We will get back to you with a series of questions asking you to provide some evidence that you have the required skills (and experience).

What are the rules for the contributors paid by Freexian?

  • They must respect the privacy of any customer data that Freexian might share with them.
  • They must prepare a public monthly report of the work done on paid time (for example on their blog).
  • They must respect the Debian code of conduct and respond to queries about their work from fellow community members.
  • They must do their best to meet the high-quality standards set by the Debian security team.

Not respecting those rules is ground to be dropped from the set of contributors that Freexian is willing to work with.