This page provides more information about the offer described on the Debian Long Term Support page.
1. The principle
As a project led by volunteers, Debian used to provide only 3 years of security support for its official releases. In order to extend security support to 5 years, a few volunteers have initiated the Debian LTS project in 2014. This open project allowed any Debian developer to contribute security updates for the last version of Debian which was no longer supported by the official security team.
To make this project a continued success, we need the help of organizations that benefit from this extended support. There are basically two ways to contribute:
- have people from your company join the LTS team, and allocate time for them to work on security updates following the usual workflow of the team;
- hire Debian developers so that they can spend time on preparing security updates for the current LTS version.
This page is about the latter. Several Debian developers who are willing to provide security updates for Debian on a paid basis got together and created the service presented on this page. Freexian, a French company managed by 3 Debian developers, collects money from all parties willing to financially support the LTS effort, and uses this money to pay the Debian contributors who are providing security updates.
2. The goal
The goal is to ensure that we have the means to provide proper 5-year security support for every Debian stable release, by helping the Debian security team where needed and then taking over from them once they stop maintaining a given release.
With ~230 hours funded per month, we are doing a reasonable job covering the bulk of the supported packages, but we are not doing much investment to improve the security infrastructure for the future. Also our usage of Debian resources creates some strain on other Debian teams, and we want to be able to give back to those teams to reduce their work load. The goal has thus been raised so that we can do more than just providing security fixes.
Any surplus will be used to improve the security in Debian in coordination with the Debian Security Team. For example, we could invest in better infrastructure which would also benefit the standard security support, or we could work on proactive measures like adding automated tests to avoid regressions on packages that are regularly updated with security fixes. Another possibility is to work on additional security hardening.
3. The benefits
3.1 Prioritize packages that you rely on
Any contribution gives you the right to submit a list of packages that you rely on, and that should be prioritized in terms of security support. The votes will be weighted by the amount of money contributed. To submit your list of packages, follow the steps outlined below.
On your Debian servers, run this command:
$ dpkg-query -f'${db:Status-Status} ${source:Package},${Package},${Version}\n' -W | awk '! /^(not-installed|config-files)/ {print $2}' >$(hostname).pkglist
Then collect all your *.pkglist
files and merge them with:
$ sort -u *.pkglist >final.pkglist
Finally, send this final.pkglist
file to
sales@freexian.com. Feel free to drop
packages from the generated list to only keep those that truly matter to
you.
3.2 Private mailing list to seek advice
If your funding level is at least Bronze 1, Freexian will subscribe the person listed as technical contact to a private mailing list that all contributing companies can use to discuss their needs and share their experience. The goal is to help everybody make the best usage of what Debian already provides, and to identify possible improvements to make Debian an even better choice for the future.
While the mailing list offers privacy to its members, good ideas of improvements will be shared on the appropriate public mailing list of the Debian project.
3.3 Direct contact with LTS staff
If your funding level is at least Silver 1, you can submit your queries and requests about Debian LTS in general and/or any security update in particular to us. In the spirit of transparency and collaboration, we prefer if you submit those requests on the public mailing list and at the same time you send a copy to sales@freexian.com to let us know that you want a reply from us.
3.4 Submit your own test cases
If your funding level is Platinum, you can submit to us functional tests covering the set of packages that you care about, and we will run those tests on updated packages to detect undesired regressions (ideally before they are released). If you have special requests, or specific needs, we will evaluate them and see what we can come up with.
Details about how those functional tests must be submitted are still to be defined but we will likely require functional tests in the form of a Debian source package with DEP-8 automated tests.
3.5 Thanked as sponsor
If your funding level is at least Bronze 1, you can be publicly thanked for this in the dedicated section of this page. Contributing companies are ranked in 4 categories: bronze (the default), silver, gold and platinum.
Sponsors at the bronze level and higher can provide a logo that will be linked to the webpage of their choice. Logos will be re-sized to a maximum of 75x150 for bronze/silver level sponsors and 150x300 for gold/platinum level sponsors.
Frequently Asked Questions
For any question not answered here, please get in touch with us.
Can you support a release for more than 5 years?
Yes, please have a look at our Extended LTS offer. It works differently than regular LTS but you can get security support for up to 10 years. Don’t hesitate to contact us with a package list to have a quote.
Is there VAT applied on Freexian invoices?
For French companies, yes, 20%. For EU companies that provide a valid VAT Number, no. For other countries, no.
Can I contribute as an individual and not as a company?
It’s possible but there are two issues: as an individual, Freexian must invoice you 20% of VAT, and we don’t accept amounts smaller than 255 EUR without VAT per year (because handling smaller amounts would cost us too much in terms of administrative overhead). If you want to contribute an amount bigger than this limit and if you don’t care about the 20% of overhead due to VAT, please feel free to send us back the subscription form and we will prepare the corresponding invoice for you.
Why is this organized by Freexian and not by Debian/SPI?
Because it’s much more difficult to organize this in the context of Debian proper. Paying Debian developers with Debian money is still a no-go, the last time it was attempted, it generated quite some dissent (see this article).
That said, this project has the support of Debian: it has been mentioned in the Debian press release announcing the first LTS release (which has been vetted by the Debian project leader itself) and in multiple other announces since then. It is also a Debian project since its inception happened on the debian-lts mailing list.
Who will prepare the security updates?
The following persons offered their services (by alphabetical order):
Name | Debian login | IRC nick | |
---|---|---|---|
Abhijith PA | abhijith@disroot.org | abhijith | bhe[m] |
Adrian Bunk | bunk@stusta.de | bunk | bunk |
Andrej Shadura | andrew@shadura.me | andrewsh | andrewsh |
Anton Gladky | gladky.anton@gmail.com | gladk | gladk_ |
Arturo Borrero Gonzalez | arturo.bg@arturo.bg | arturo | arturo |
Bastien Roucariès | roucaries.bastien@gmail.com | rouca | rouca |
Ben Hutchings | ben@decadent.org.uk | benh | bwh |
Chris Lamb | chris@chris-lamb.co.uk | lamby | lamby |
Daniel Leidert | daniel.leidert@wgdd.de | dleidert | - |
Dimitri John Ledkov | dimitri.ledkov@surgut.co.uk | xnox | xnox |
Emilio Pozuelo Monfort | pochu27@gmail.com | pochu | pochu |
Enrico Zini | enrico@enricozini.org | enrico | enrico |
Guilhem Moulin | freexian@guilhem.se | guilhem | guilhem |
Helmut Grohne | helmut.grohne@subdivi.de | helmutg | helmut |
Jochen Sprickerhof | freexian@jochen.sprickerhof.de | jspricke | jochensp |
Lee Garrett | debian@rocketjump.eu | lee | - |
Lucas Kanashiro | kanashiro@riseup.net | kanashiro | kanashiro |
Markus Koschany | markus@koschany.net | apo | apo |
Ola Lundqvist | ola@inguza.com | opal | opal |
Raphaël Hertzog | raphael@freexian.com | hertzog | buxy |
Roberto C. Sánchez | roberto@connexer.com | roberto | el_cubano |
Santiago Ruano Rincón | santiagorr@riseup.net | santiago | santiago |
Sean Whitton | spwhitton@spwhitton.name | spwhitton | spwhitton |
Stefano Rivera | freexian@rivera.za.net | stefanor | tumbleweed |
Sylvain Beucler | beuc@beuc.net | beuc | Beuc |
Thorsten Altenholz | squeeze-lts@alteholz.de | alteholz | ta |
Tobias Frost | tobi@frost.de | tobi | tobi |
Utkarsh Gupta | guptautkarsh2102@gmail.com | utkarsh2102 | utkarsh2102 |
For the sake of transparency, they bill their work to Freexian at a pre-defined rate of 85 EUR/hour (less than what is billed to sponsors, the difference covers Freexian’s administrative costs).
This list can evolve over time.
I have a concern about the quality of the work and/or the behaviour of one of the paid developers. What should I do?
Contact Raphaël Hertzog and the LTS Coordinator and express your concerns. Please provide all the elements backing up your concerns. We are committed to do high quality work without disrupting the Debian community in any way and want to know when we do not live up to our promise.
I would like to join the team of contributors paid to handle security updates. Is it possible?
Yes, if you meet the following requirements:
- you are a Debian developer or a Debian maintainer;
- you have some prior experience with providing security updates in Debian (at least on your own packages);
- you have good programming skills and know multiple languages (to be able to backport security fixes);
- you can emit invoices to Freexian;
- you accept the rules defined for this project (see below for details).
If you meet all the requirements, then contact Raphaël Hertzog and the LTS Coordinator to apply. We will get back to you with a series of questions asking you to provide some evidence that you have the required skills (and experience).
What are the rules for the contributors paid by Freexian?
- They must respect the privacy of any customer data that Freexian might share with them.
- They must prepare a public monthly report of the work done on paid time (for example on their blog).
- They must respect the Debian code of conduct and respond to queries about their work from fellow community members.
- They must do their best to meet the high-quality standards set by the Debian security team.
Not respecting those rules is ground to be dropped from the set of contributors that Freexian is willing to work with.