[conspire] What's wrong with MEPIS

Rick Moen rick at linuxmafia.com
Tue Feb 26 11:15:25 PST 2008 

I believe that Bruce has lately been a fan of MEPIS v. 7.0, an
installable, KDE-oriented live CD, maintained solely by Warren Woodford
and lately based more-or-less on periodic forks of Debian's "stable"
branch.


Here's (anonymous) poster #102 on a recent Distrowatch Weekly
(http://distrowatch.com/weekly.php?issue=20080218&mode=62):

  It's just speculation on my part, but from what I have seen recently,
  I'd say Warren is going to give up on Mepis. It might live on if
  someone else picks it up, but given the fact that he has been the
  dominant force in development for so long, I won't be surprised if it
  folds altogether before the end of the year. One more release and he
  will announce, "Sorry, while this was fun, it just doesn't fit my
  schedule anymore.  This will be the last release of Mepis. Thank you to
  everyone for the support over the years."

  One example that struck me as odd is that he recently had someone else
  post a number of things, among them,

  "Warren's Work Status
  Warren is fine. He's been working some very long hours on project /
  contract work which is going well. He is also continuing work on
  development of Mepis whenever he gets a chance."

  "Mepis 8
  He intends starting dev work on Mepis 8 around April. He's not sure on
  a release date as it all depends on when Debian's progress with Lenny
  is completed."

  That doesn't much sound like a distro under the same type of
  development as most other popular distros. If what you say is true,
  that is consistent with a distro that lacks energy and enthusiasm at
  the top.

  [Note that I have stated clearly that this is speculation. If you are
  a Mepis fan, I am not claiming Warren actually said that to me.]

This was of course immediately denounced by several MEPIS proponents,
but it covers some important and serious points, and hints at some
others:


1.  Any distro that relies on just a single guy is not a good long-term
bet.  E.g., White Box Enterprise Linux and Tao Linux (both RHEL rebuilds) 
have been maintained each by a single person, John Morris and David
Parsley, respectively.  Parsley quit after about a year, and that was
the (non-negotiable) end of Tao Linux, with users told to simply go
elsewhere (namely, CentOS).  White Box remains perennially every bit as
much at risk of such a sudden unplanned demise as is MEPIS, with the
same danger signs such as long periods of no development work -- so
smart people therefore use CentOS, instead.

2.  It's a bad sign when a small distro makes bad choices of what larger
work to base itself on.  During the pre-7.0 beta cycle, Woodford
suddenly stopped repackaging Ubuntu binaries[1] in favour of a bizarre mix
of Debian-stable and Ubuntu-release code built from source packages used
to update a core codebase of Debian-stable packages, plus cherry-picked
extra Debian packages taken from Debian's package pools.  WTF?
Woodford's choices of software base seem erratic, and that of
fresh releases of Debian-stable as the new core seems doubtful for a
cutting-edge KDE distribution:  Making new codebases work on a core of
old-ish libs and other infrastructure is probably a hideous amount of
work, which Warren will have to do again with each new release -- by
himself (and he can't control his schedule, either, because it's tied to
Debian's release process).

As year ago, I posted an analysis of how similar erratic moves and bad
choices by Jörg "Kano" Schirottkeabout Kanotix had cost him a fork and
departure of substantively all other developers to found "Sidux" with better
policies: http://linuxmafia.com/pipermail/conspire/2007-February/002808.html
Interested users might want to re-read that, as parallels with Warren's
situation are considerable -- except that, in his case, there are no 
fellow developers.  When he gets tired of an arduous release cycle, the
distro won't fork; it'll fold.

3.  There are times when responsive and reliable security updating is 
crucial, e.g., the recent and quite dire vmsplice{} security problem in
kernels 2.6.17 through 2.6.24 (that gave easy root escalation to local
users):  Woodford finally slipped an _untested_ kernel fix out the door,
with no security advisory whatsoever, _12 days_ after the vmsplice{}
hole.  Again, quoting the Distrowatch Weekly thread (post #101,
anonymous poster):

   Well, just be glad if you don't use mepis. Those guys finally got a
   fix yesterday, with no change log or anything. If you read the post,
   they keep asking if it's the fix or not. Finally one of them has to
   reasearch the kernel version to find out.. Even patch Tuesday is
   better than that.

There are small distros that get all of these issues right:  Sidux is a
prime example.  There are also distros that consistently get them wrong:
MEPIS is their standard-bearer.



[1] Woodford's mid-2006 experiment with using an Ubuntu Dapper Drake LTS
base didn't last long.  Before that, it was based on periodic forks of
the evolving Debian-unstable branch.

More information about the conspire mailing list