Debian Long Term Support - Details

This page provides more information about the offer described on the Debian Long Term Support page.

1. The principle

As a project led by volunteers, it's currently not possible for Debian to provide 5 years of security support to its official releases. At the same time, many Debian users would greatly benefit from such an extended period of support. In order to fix this, a few volunteers have initiated the Debian LTS project in 2014. This open project allowed any Debian developer to contribute security updates for the last version of Debian which is no longer supported by the official security team.

To make this a project a continued success, and to ensure that all future releases can be announced with 5 years of support from the start, we need the help of organizations that benefit from this extended support. There are basically two ways to contribute:

This page is about the latter. Several Debian developers who are willing to provide security updates for Debian on a paid basis got together and created the offer on this page. Freexian, a French company managed by Debian developer Raphaël Hertzog, is collecting money from all parties willing to financially support the LTS effort and is spending this money to hire the Debian contributors who are providing security updates.

Note that companies whose employees have provided a steady flow of contributions towards Debian LTS can also be thanked in the dedicated section. Get in touch if you are in that case and would like to be listed.

2. The goal

The goal is to ensure that we have the means to provide proper 5-year security support for every Debian stable releases, taking over from the Debian security team once it stops to maintain a given release. With 200 hours funded per month, we are doing a reasonable job covering the bulk of the packages but we are not doing much investment to improve the security infrastructure for the future. Also our usage of Debian resources is creating some strain on other Debian teams and we want to be able to give back to those teams to reduce the frictions. The goal has thus been raised so that we can do more than just providing security fixes.

Any surplus will be used to improve the security in Debian in coordination with the Debian Security Team. For example, we could invest in better infrastructure which would also benefit the standard security support, or we could work on proactive measures like adding automated tests to avoid regressions on packages that are regularly updated with security fixes. Another possibility is to work on additional security hardening.

3. The benefits

3.1 Prioritize packages that you rely on

Any contribution gives you the right to submit a list of packages that you rely on and that should be prioritized in terms of security support. The votes will be weighted by the amount of money contributed. To submit the list of packages, follow the steps outlined below.

On your Debian servers, run this command:
$ dpkg-query -f'${Source},${Package},${Version}\n' -W >`hostname`.pkglist

Then collect all your *.pkglist files and merge them with:
$ sort -u *.pkglist >final.pkglist
Then send the file final.pkglist to Feel free to drop packages from the generated list to only keep those that truly matter to you.

3.2 Private mailing list to seek advice

If you fund at least one hour per month, Freexian will subscribe the person listed as technical contact to a private mailing list that all contributing companies can use to discuss their needs and share their experience. The goal is to help everybody make the best usage of what Debian already provides and to identify possible improvements to make Debian an even better choice for the future.

While the mailing list offers privacy to its members, good ideas of improvements will be shared on the appropriate public mailing list of the Debian project.

3.3 Direct contact with LTS staff

If you fund at least 4 hours per month, you can submit your queries and requests about Debian LTS in general and/or any security update in particular to us. In the spirit of transparency and collaboration, we prefer if you submit those requests on the public mailing list and at the same time you send a copy to to let us know that you want a reply from us.

3.4 Submit your own test cases

If you fund more than three days of work per month, you can submit to us functional tests covering the set of packages that you care about, and we'll run those tests on updated packages to detect undesired regressions (ideally before they are released). If you have special requests, or specific needs, we will evaluate them and see what we can come up with.

Details about how those functional tests must be submitted are still to be defined but we will likely require functional tests in the form of a Debian source package with DEP-8 automated tests.

3.5 Thanked as sponsor

If you fund more than one hour per month, you can be publicly thanked for this in the dedicated section of this page. Contributing companies are ranked in 4 categories: bronze (the default), silver (for 4 hours/month and above), gold (for 1 day/month and above) and platinum (for 3 days/month and above).

Sponsors at the bronze level and higher can provide a logo that will be linked to the webpage of their choice. Logos will be re-sized to a maximum of 75x150 for bronze/silver level sponsors and 150x300 for gold/platinum level sponsors.

Frequently Asked Questions

For any question not answered here, please get in touch with us.

Can you support a release for more than 5 years?

Yes. If you are at least silver sponsor of Debian LTS, then you are eligible to join the Extended LTS project. It works differently than regular LTS but you can get security support for some Debian packages after the 5 years of support. Don't hesitate to contact us to have a quote.

Is there VAT applied on Freexian invoices?

For French companies, yes, 20%. For EU companies that provide a valid VAT Number, no. For other countries, no.

Can I contribute as an individual and not as a company?

It's possible but there are two issues: as an individual, Freexian must invoice you 20% of VAT, and we don't accept amounts smaller than 255 EUR without VAT per year (because handling smaller amounts would cost us too much in terms of administrative overhead). If you want to contribute an amount bigger than this limit and if you don't care about the 20% of overhead due to VAT, please feel free to send us back the subscription form and we will prepare the corresponding invoice for you.

Why is this organized by Freexian and not by Debian/SPI?

Because it's much more difficult to organize this in the context of Debian proper. Paying Debian developers with Debian money is still a no-go, the last time it was attempted, it generated quite some dissent (see this article).

That said, this project has the support of Debian: it has been mentionned in the Debian press release announcing the first LTS release (which has been vetted by the Debian project leader itself) and in multiple other announces since then. It is also a Debian project since its inception happened on the debian-lts mailing list.

Who will prepare the security updates?

The following persons offered their services (by alphabetical order):

NameEmailDebian loginIRC nick
Abhijith PAabhijith@disroot.orgabhijithbhe[m]
Adrian Bunkbunk@stusta.debunkbunk
Anton Gladkygladky.anton@gmail.comgladkgladk_
Brian Maybrian@linuxpenguins.xyzbam-
Dylan Aï
Emilio Pozuelo Monfortpochu27@gmail.compochupochu
Guido Günthergg@godiug.netagxagx
Holger Levsenholger@layer-acht.orgholgerh01ger
Jonas Meurerjonas@freesources.orgmejomejo
Lee Garrettdebian@rocketjump.eulee (DM)-
Lucas Kanashirokanashiro.duarte@gmail.comkanashirokanashiro
Markus Koschanymarkus@koschany.netapoapo
Mike Gabrielmike.gabriel@das-netzwerkteam.desunweaversunweaver
Ola Lundqvistola@inguza.comopalopal
Raphaël Hertzographael@freexian.comhertzogbuxy
Roberto C. Sánchezroberto@connexer.comrobertoel_cubano
Santiago Ruano Rincónsantiagorr@riseup.netsantiagosantiago
Sylvain Beuclerbeuc@beuc.netbeucBeuc
Thorsten Altenholzsqueeze-lts@alteholz.dealteholzta
Utkarsh Guptaguptautkarsh2102@gmail.comutkarsh2102

For the sake of transparency, they bill their work to Freexian at a pre-defined rate of 75 EUR/hour (less than what is billed to sponsors, the difference covers Freexian's administrative costs).

This list can evolve over time.

I have a concern about the quality of the work and/or the behaviour of one of the paid developers. What should I do?

Contact Raphaël Hertzog and express your concerns. Please provide all the elements backing up your concerns. We are committed to do high quality work without disrupting the Debian community in any way and want to know when we do not live up to our promise.

I would like to join the team of contributors paid to handle security updates. Is it possible?

Yes, if you meet the following requirements:

If you meet all the requirements, then contact Raphaël Hertzog and Jeremiah Foster to apply and provide the necessary evidence so that we can ensure that you have the required skills (and experience).

What are the rules for the contributors paid by Freexian?

Not respecting those rules is ground to be dropped from the set of contributors that Freexian is willing to work with.

Back to the main page about Freexian's Debian LTS offer.