About 150 updates came through recently though none appear to me to be Librem 5 related specifically, rather upstream debian updates rolling in. No functionality improvements for me.
Question to @JCS : when will development start moving again regarding getting Crimson ready for Librem 5?
I understand that it is difficult to say when it will be ready, always hard to know how long time things take, but could you at least tell us when some work will start happening again, so that things can start moving again?
Alternatively, if Purism is not going to develop PureOS for the Librem 5 any longer, are there plans to hand over that to some other organization or to make PureOS some kind of community-driven project no longer run by Purism?
@JCS posted the current state of things here: https://forums.puri.sm/t/lets-crowdfund-some-development-to-get-pureos-crimson-ready-for-l5/22827/188.
@JCS on Qubes Forum, they posted yesterday that ‘Debian 11 (Bullseye) approaching EOL’. The first line states:
The Debian Project currently estimates that Debian 11 (Bullseye) will reach EOL (end-of-life) sometime around July 2024 (approximately two months from now). Please upgrade all of your Debian 11 templates and standalones to Debian 12 (Bookworm) by then.
As Debian 11 goes EOL, I’m wondering how this will affect PureOS if it is still stuck in Byzantium? Is it possible to get any sort of comment / statement from Purism related to Crimson release and Byzantium security related to this piece of news?
Exactly, we need security updates, if nothing else.
When it reaches EOF, it enters LTS. In the case of Debian 11 it will receive security updates until June 30th, 2026.
https://wiki.debian.org/LTS
Thanks for that. At least there will be some security updates.
But, reading the website you provided a link for, it states; “Debian LTS is not handled by the Debian Security team, but by a separate group of volunteers and companies interested in making it a success.”
I’m sure it is managed ok, but the fact that it is volunteers would give me cause for concern about how diligent and thorough it is. At least if I was Purism.
So, Debian 11 will be in LTS. That is fine. But, it would still be nice to hear from @JCS and Purism, what their position will be in terms of how it affects PureOS. And, in turn the impacts on Librem products. Not just the L5, but the other hardware they sell that PureOS is built for.
let’s make a bet, is Crimson or Trixie coming first? I bet Trixie lol
This is important. Although “Buster” says that it is supported until June 2024 … that is LTS support and it is not necessarily supported by the security team anymore. So, for example, Buster has not received any patches for the recent flatpak CVE ( CVE-2024-32462 ). I think the security team stops the coverage when the release moves to LTS. I’ve watched that CVE because the patch is simple (something like 12 lines) and it hasn’t been patched yet in Ubuntu 22.04 (Canonical doesn’t make promises about patching packages in their
“Universe” (non-“Main”) repository).
… which is a bit slack because the Ubuntu 22.04 LTS-to-Ubuntu 24.04 LTS upgrade is not available yet as far as I know. In other words, a customer who uses only the LTS versions, hopping from one to the next, is actually on the latest LTS version with 22.04 (unless the customer wants to wipe everything out, install 24.04 from scratch and then re-establish everything).
I don’t know the exact timing but I expect that the above upgrade will appear in the next few months.
… … which is a bit slack because the Ubuntu 22.04 LTS-to-Ubuntu 24.04 LTS upgrade is not available yet as far as I know. …
It’s available. It’s not recommended. You have to add a flag (-d) to the do-release-upgrade. Of course one always has the choice of doing a fresh install. I suggested that maybe they should release flatpak as a snap.
It is slack. While Canonical said that they haven’t changed anything in regard to facilitating security updates in “Universe” … I think they used to be a bit more on top of high level CVE’s from active community projects.
OK. I should clarify that I mean: At a certain point in time, in the next few months, the Ubuntu GUI software updater will notice that the LTS upgrade becomes recommended, and it will offer it to everyone who has not taken either of the alternative steps that you mention (and who has configured to install only LTS versions). So it will happen automatically with a click of a button, rather than having to take special steps.
As Canonical is intentionally making it the case that we have not yet reached that “certain point in time”, they should consider that everyone in this situation is missing out on some security updates (in this case, a high severity one).
I guess ultimately they want you using snaps, not flatpaks.
PureOS development is slowly ramping up again after Purism revamped its cashflow and inventory financing and is now better living within its means. Better cashflow and recently increased sales are dissolving much of the debt that had become a blocker for most ongoing development efforts. Despite it being paramount in a tech company, R&D is ultimately a cost center; weight had to temporarily shift toward profit centers - marketing, sales, etc - for long-term survivability. Finances are now looking more promising and we’ll proceed with an internal PureOS development crowdfunding campaign (timeline TBD but expecting within a month or two, pending planning+infrastructure+webdev efforts) then keep the momentum to increase hours of contractor staff toward full-time. I can provide more concrete answers once several unknowns are resolved.
The Debian Security team is all volunteers too and they’re doing a great job.
it will be available in October, I tried upgrading distribution from 23.10 and experienced tons of issues always ending up with a broken system due to the install failing in various ways, package dependency issues and screen even shutting down during package install
I’ve never had a problem. However, I only run LTS and always wait for the first point release.
So what? i.e. Your statement proves nothing.
I agree that the Debian Security team does a great job. But note that nobody has patched the LTS release for this pretty high CVE for a highly used package (flatpak) CVE-2024-32462. To be clear: The security team did patch what they are responsible for … but the LTS release (currently Buster) is still unpatched. That’s cause for concern that the volunteers from the non-security team might not be up to the task, right?
@kms said it would give him concerns that the LTS team is volunteers (LTS isn’t all volunteers btw). I made the point that “all volunteer teams” can work fine and that it doesn’t give indication about the quality of the work done.
Your statement proves nothing.
I don’t have to proof anything to you.
I’ve given evidence that the LTS team is not addressing CVE’s as well as the security team. In other words @kms absolutely has cause for concern.
And while I agree it has nothing to do with “volunteer” or “not volunteer”, it’s a concern.
Your statement proves nothing.
I don’t have to proof anything to you.
That’s “prove” not “proof”. And, no, you don’t. I didn’t ask you to prove anything. My statement was simply pointing out that you didn’t prove anything. We wouldn’t want anybody confused on whether you are asserting that the LTS team is as good as the Security Team in providing security patches.
[Edit: I was reading about another vulnerability from January 2024. CVE-2024-1086 . I thought
I would check this one too. Again the Security Team has patched it in their distros. Not true for the LTS Team. CVE-2024-1086 ]
I’m still walking around with Byzantium L5 in my pocket. If I go around with a Crimson install instead, what types of issues would I expect to face? Or where should I read about that?