Comparing package bases: Ubuntu vs Debian

Chat about anything related to Linux Mint
User avatar
xenopeek
Level 24
Level 24
Posts: 21286
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Comparing package bases: Ubuntu vs Debian

Postby xenopeek » Thu Aug 06, 2015 5:40 pm

I was recently reminded about some facts for the Ubuntu package base with regards to number of packages and support policies. So I decided to compare it with the Debian package base. Trying to complete my understanding :) Any errors are mine.

I'm comparing Linux Mint 17.2 (using Ubuntu 14.04 as a package base) and LMDE 2 (using Debian 8 as a package base with addition of the Deb Multimedia repositories).

Counting packages...
While if you look in your package manager the repositories for both look like they have a lot of packages, those numbers are a bit inflated and do not translate to number of programs in any way. While there is one "upstream" source (as released by the software's developers) software will generally be split up into multiple packages in the repositories (generally the program itself, reusable parts like libraries, localizations for software and documentation, and parts needed to compile software that uses this software are all split into separate packages).

I did some counting over the packages index cache (in /var/lib/apt/lists) and determined the number of unique package names and unique package source names for each repository, the subtotals of those, and the totals. The numbers are a bit surprising. While Ubuntu shows to have ~2950 (6.8%) more packages than Debian, when you look at sources Debian has ~1250 (14%) more than Ubuntu. So while LM 17.2 has more packages using Ubuntu, might I draw the conclusion that LMDE 2 using Debian has a more diverse software collection?

Code: Select all

 LM 17.2       |  Packages  |  Sources            LMDE 2        |  Packages  |  Sources
---------------+------------+------------        ---------------+------------+------------
 Ubuntu        |     46075  |      8954           Debian        |     43155  |     10199
   main        |      9620  |      1529             main        |     42412  |     10070
   restricted  |        76  |        16             contrib     |       253  |        67
   universe    |     35645  |      7785             non-free    |       490  |        79
   multiverse  |       754  |       134          ---------------+------------+------------
---------------+------------+------------         Linux Mint    |       451  |        64
 Canonical     |        28  |         4             main        |       137  |        18
   partner     |        28  |         4             upstream    |        65  |        10
---------------+------------+------------           import      |       253  |        37
 Linux Mint    |      1501  |       196          ---------------+------------+------------
   main        |       163  |        21           Deb Multim.   |       520  |       141
   upstream    |        82  |        14             main        |       505  |       137
   import      |      1263  |       163             non-free    |        15  |         4
---------------+------------+------------        ---------------+------------+------------
               |     46434  |      9010                         |     43640  |     10355

If you count the subtotals you'll note that these don't add up to the totals. That's because the Linux Mint repositories have packages that are also available in the package base repositories. For counting the totals I determined the number of unique package name and package source names over all repositories.

Support policies
Something I kind of forgot about, as Linux Mint's Software Sources program doesn't show you this information.

Let's start with Ubuntu:
  • Canonical only supports the packages in main, restricted, and I guess partner. That accounts for less than ¼th of the total number of packages! Canonical supports these packages with security updates and other critical fixes for the lifetime of the Ubuntu release. For the LTS release that is 5 years.
  • Packages in universe and multiverse aren't supported by Canonical but by the Ubuntu derivatives and others (so called MOTU team—masters of the universe). You'll find packages from Kubuntu (KDE) and Xubuntu (Xfce) here for example. Given the large number of packages relative to the limited resources of the team, support is best effort and may not be for the liftetime of the Ubuntu release (but rather 3 years). Vast majority of these packages don't get much attention and are just imported from Debian (testing or unstable!) and rebuilt for Ubuntu.
Compare that to Debian:
  • Debian only considers packages from main part of its distribution for the purpose of support, but those packages account for over 98% of all its packages! Debian security team supports these packages for a period of 3 years. After that period the Debian LTS team supports those packages for an additional 2 years. The Debian LTS team is a much smaller team and is comprised of companies and individuals that have an interest in LTS; this is a team separate from the Debian security team (though there is some overlap).
Some surprises for me. Especially that on the face of it on Ubuntu packages are overall less well supported than on Debian.

(I'll be setting up a computer for somebody else soon that for home office tasks and this has all made me consider using LMDE 2 instead of planned LM 17.2. I'm also considering CentOS so over the weekend if I have some time I'll try to compare with that also.)
Image

User avatar
Crewp
Level 9
Level 9
Posts: 2522
Joined: Sat Dec 01, 2012 8:36 pm
Location: Connecticut,USA

Re: Comparing package bases: Ubuntu vs Debian

Postby Crewp » Thu Aug 06, 2015 6:05 pm

Very interesting, thank you for taking the time to present this information.
Image

exploder
Level 14
Level 14
Posts: 5492
Joined: Tue Feb 13, 2007 10:50 am
Location: HartfordCity, Indiana USA
Contact:

Re: Comparing package bases: Ubuntu vs Debian

Postby exploder » Thu Aug 06, 2015 9:04 pm

Thanks for sharing what you found! Something I have noticed from having the main (Ubuntu based) edition on my laptop and LMDE 2 (Debian based) on my desktop is that there are huge differences in system updates! The laptop with the main edition is constantly getting lots of updates, the desktop with LMDE 2 gets updates but way less frequently. Ubuntu releases by a strict schedule but Debian does not release until all critical bugs have been taken care of.

Because of the hardware on both machines I install all updates. In my opinion the Debian base has much higher quality standards. Ubuntu often publishes bug and security updates that are not present in Debian or in this case it's derivatives. There is one bug in LMDE 2 that is not present in Debian though, the Intel graphics bug... As far as updates go, LMDE 2 has not had a single issue in the 4 months that I have been running it. The laptop running on the Ubuntu based main edition has had graphics issues on and off from updates, nothing so serious I could not fix it but no where near as solid as LMDE 2.

Ubuntu's LTS that the main edition is built on is not built on Debian's stable release but rather Debian Sid so it's pretty easy to figure out which Mint edition is going to be more stable and refined.

User avatar
killer de bug
Level 14
Level 14
Posts: 5299
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: Comparing package bases: Ubuntu vs Debian

Postby killer de bug » Fri Aug 07, 2015 5:09 am

Thanks xenopeek for these stats! Finally you are confirming the strong reputation of Debian's package base.

As exploder says, in the last months, with LMDE2, I had no issues at all. Everything is rocking solid.
Image
If it ain't broke, fix it until it is.

User avatar
Fred Barclay
Level 11
Level 11
Posts: 3928
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Comparing package bases: Ubuntu vs Debian

Postby Fred Barclay » Fri Aug 07, 2015 1:46 pm

killer de bug wrote:Thanks xenopeek for these stats! Finally you are confirming the strong reputation of Debian's package base.

As exploder says, in the last months, with LMDE2, I had no issues at all. Everything is rocking solid.


Thanks, xenopeek. Very interesting, and a good read, too! :)

I've had a few troubles with Betsy (Intel graphics bug was one) but she's quite nice! I've been hooked on LMDE since I first tried it (LMDE 201403) and have never looked back!
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
rivenathos
Level 6
Level 6
Posts: 1072
Joined: Wed May 06, 2009 7:32 am
Location: USA

Re: Comparing package bases: Ubuntu vs Debian

Postby rivenathos » Fri Aug 07, 2015 1:53 pm

Thanks for the extensive research on this subject. It allows others to more fully understand the stability of packages from particular distros.

Ark987
Level 4
Level 4
Posts: 351
Joined: Tue Apr 07, 2015 4:20 am

Re: Comparing package bases: Ubuntu vs Debian

Postby Ark987 » Sat Aug 08, 2015 3:46 am

I like Mint project since 2006 after but I was never a big fan of Ubuntu since the beginning, I blame Fedora for that.
But this is some kind of revelation for me since I've started using Mint as my main OS, so are you telling that the Ubuntu LTS is just a placebo :lol:?

I was looking into the package list of the current LTS http://packages.ubuntu.com/trusty/allpackages and I notice that nearly all the software that I really care about for daily use is either in 'universe' or 'multiverse', Does this mean that they are not strictly supported for 5 full years? Hopefully I saw Firefox and LibreOffice listed with a 'security' tag but this is shameful to call that an LTS release :roll:

I hope that Debian base gets adopted quickly as main stream, I want to give it a try to LMDE again but I'm waiting for systemd to land first.
If you try CentOS would you share your experience? Is it going to be for desktop use, right?
Image

User avatar
xenopeek
Level 24
Level 24
Posts: 21286
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Comparing package bases: Ubuntu vs Debian

Postby xenopeek » Sat Aug 08, 2015 4:26 am

Ark987 wrote:I want to give it a try to LMDE again but I'm waiting for systemd to land first.

You should be able to switch to systemd on LMDE 2. It is based on Debian 8 which uses systemd by default, so it has good support from Debian teams. If you want to wait for LMDE 3, that will likely take between 2 - 3 years to arrive (with Debian 9).
Image

User avatar
xenopeek
Level 24
Level 24
Posts: 21286
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Comparing package bases: Ubuntu vs Debian

Postby xenopeek » Thu Aug 13, 2015 4:17 pm

Ark987 wrote:If you try CentOS would you share your experience? Is it going to be for desktop use, right?

I did install CentOS also in a VM and had a look around. Where Debian 8 had 43155 packages built from 10199 sources in CentOS 7 I find 15821 packages from 3462 sources. But to get somewhere close to a usable desktop system (with fonts not trying to gauge my eyes out for example) I had to add the nux-desktop and epel repositories. Excluding these from the count I'm left with only 1377 sources.

So CentOS 7 has 86% less sources than Debian 8 and even adding nux-desktop and epel repositories it has 66% less sources. Now if its repositories have all the software you need than this isn't a big issue but the software is also much older than on Debian 8. For example it has GNOME 3.8 while Debian 8 has GNOME 3.14.

I decided against using it for the install I'm doing for my dad (viewtopic.php?f=61&t=202037). I'll play around some more with CentOS to get some more familiarity, I might find a place for it in a future project.
Image

User avatar
Pjotr
Level 18
Level 18
Posts: 8628
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Comparing package bases: Ubuntu vs Debian

Postby Pjotr » Thu Aug 13, 2015 4:40 pm

More research is needed, I think.... Let's not jump to conclusions.

For example: which Universe and Multiverse packages are *usually* (or often) installed in computers running Mint and Ubuntu? And how good is the support for those *commonly used packages* in real life, during the LTS lifetime?

MOTU's have to set priorities, I assume, because their available time is limited. So: how succesful are they in diminishing the *practical* security risks for the *important* packages they control?
Tip: 10 things to do after installing Linux Mint 18.2 Sonya
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
xenopeek
Level 24
Level 24
Posts: 21286
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Comparing package bases: Ubuntu vs Debian

Postby xenopeek » Thu Aug 13, 2015 5:29 pm

xenopeek wrote:on the face of it on Ubuntu packages are overall less well supported than on Debian

Don't skip that first part; this isn't a conclusion :wink: The conclusions I made were about the diversity of software in the package bases.

Looking at the Ubuntu 14.04 derivatives:
- 5 years of support for Edubuntu, Kubuntu, and Ubuntu Kylin.
- 3 years of support for Ubuntu GNOME, Lubuntu, Ubuntu Studio, Xubuntu
- 2 years of support for Mythbuntu
- no support for Ubuntu MATE (there was no 14.04 release)
If the GNOME (as far as not in Ubuntu main), LXDE, Studio, Xfce, and Myth related packages' their maintainers come from these communities then you might have some reason to look worrisome at the last 2 years of support of Ubuntu LTS.

Now there is also a MOTU security team, with 10 active people divided over two groups: https://wiki.ubuntu.com/MOTU/Teams/Security. So they might take over for packages without active maintainers. Still, 10 people for over 36000 packages. While the Debian security team has over 42000 packages in scope, it looks much bigger: https://www.debian.org/intro/organization. Debian security team looks after Debian stable and also somewhat after Debian testing. Ubuntu also imports packages from Debian unstable though. So it's not like the MOTU security team can lean back and let the Debian security team do all the work.

The final 2 years of support on Debian stable is done by Debian LTS team. That team is almost twice as big as the MOTU security team: https://wiki.debian.org/LTS/Team.

Anyway, there are more figures and numbers but you are correct Pjotr this doesn't answer how many security issues will slip into Ubuntu LTS that aren't in Debian stable :wink:
Image

Monsta
Level 9
Level 9
Posts: 2987
Joined: Fri Aug 19, 2011 3:46 am

Re: Comparing package bases: Ubuntu vs Debian

Postby Monsta » Thu Aug 13, 2015 6:29 pm

exploder wrote:The laptop with the main edition is constantly getting lots of updates, the desktop with LMDE 2 gets updates but way less frequently.

Probably because Ubuntu LTS releases are based on Debian Testing? so the guys have more bugs to squash than Debian Stable maintainers do :)

User avatar
Pjotr
Level 18
Level 18
Posts: 8628
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Comparing package bases: Ubuntu vs Debian

Postby Pjotr » Fri Aug 14, 2015 5:17 am

In any case, as Ubuntu LTS user since 6.06 Dapper Drake, I have always computed safely and securely with the LTS'es myself.

The only real practical risk issue that I've experienced in those years, was an outdated and insecure version of Sun Java JRE (in Multiverse, if I recall correctly). That's about it.....

So in my experience, the MOTU's have been doing a pretty good job in keeping the *most important* packages in the Universe and Multiverse repo's of the Ubuntu LTS, secure during its supported lifetime.

Some security flaw in for example Conky, inxi or even xfwm4 will probably remain unfixed, but it's unlikely that security flaws in such packages will ever lead to problems. They're too much "below the radar" of criminals.... Not worth targeting.
Tip: 10 things to do after installing Linux Mint 18.2 Sonya
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.


Return to “Chat about Linux Mint”

Who is online

Users browsing this forum: No registered users and 3 guests