Tom Lane wrote:
> To me the critical point is that those are produced by people we know
> who are at least reasonably accountable to the PG community. While I
> don't wish to sound like I'm badmouthing the Turnkey folk, we don't have
> any basis to believe that, for instance, they'll provide security
> updates promptly. (In fact, given that none of them are on
> pgsql-packagers, we can be quite sure that they'll be somewhat behind
> the curve for such things.)
I think Tom has a good point regarding accountability and transparency.
You don't want to list software from just anyone on the official
website. At turnkeylinux.org we've done quite a bit to increase
transparency over the last couple of months (open mailing lists,
development wiki, etc.), but there is still room for improvement. We'll
be adding a blog aggregator to the project website soon to make it
easier for everyone to get to know the people involved with our project. Note that TurnKey is an opensource project and
thatall our appliances
are assembled from unmodified Ubuntu binaries mostly. There are a few
exceptions and they are clearly marked in the package management system,
documented in the development wiki and have source code available in our
repository.
Regarding security updates, anyone using TurnKey appliances is likely to
be ahead of the curve since we apply them automatically on a daily basis
from the Ubuntu security repositories. If you're wondering if it's safe
to do that, Ubuntu follow Debian packaging guidelines regarding security
updates. Security patches are backported in a way that minimizes changse
to the functionality of the packages. It isn't foolproof but from our
experience it is very rare for a security update to break your system.
Cheers,
Liraz
