Linux distribution long term support might not be what you think it is
Published on 2022-04-01.
Since I wrote The delusions of Debian, I have received a lot of email and questions. I have therefore decided to do a small follow-up about the true meaning of Long Term Support (LTS) in these projects.
Let's begin by getting the meaning of the term upstream (in software development) right. As the Wikipedia article mentions, upstream refers to a direction toward the original authors or maintainers of software. In short, when we talk about upstream developers, we talk about the people who are actually doing the programming, i.e. making the software.
A third party package in a Linux distribution or BSD variant, is a piece of software developed by someone else. Hence, PHP or PostgreSQL is a third party package.
A third party package maintainer in a Linux distribution or a BSD variant, can be that very same person who develops the software, i.e. he or she is from upstream, but in most cases that's not the case. In most cases a package maintainer is simply someone who has volunteered some amount of his or hers free time to keep that specific software in the package repository so that you, the user, can easily install it with a package manager like "apt" from Debian Linux, "pkg" from FreeBSD, or "pacman" from Arch Linux.
This means that when a project like Debian states that:
Debian's free of charge Long Term Support (LTS) version extends the lifetime of all Debian stable releases to at least 5 years. Additionally, the commercial Extended LTS initiative supports a limited set of packages for more than 5 years.
Then that sorely depends upon whether or not upstream also provides long term support!
And this is, understandingly, where most misunderstandings occur.
The information on the Debian website, and on many other Linux distributions websites, is not clear about this. The website doesn't say that this so-called long term support is dependent upon whether or not upstream also provides long term support. For some this might be obvious, maybe for a software developer, but for many other regular users, this is not so obvious.
A Linux distribution cannot normally provide any kind of long term support for any kind of third party software if such software is no longer supported by upstream.
Upstream might simply stop development all together. Or maybe they just don't provide any long term support for older versions of their software, they only provide support for bleeding edge. In such a situation, the Linux distribution has no choice but to either neglect the package, update it to the latest bleeding edge version, even if that goes against their policy, or hope that perhaps someone involved in the distribution has the necessary skills to program a fix for a possible bug or security issue.
Maybe the problem is that the word "developer" is often used a bit too loosely around Linux distributions. Often you'll hear something like the "developers of X Linux distribution". But in many cases these people are not developers at all. If by "developer" you mean that they have taken the Linux kernel, the GNU userland, some third party package manager, and then put together a Linux distribution, then sure, they have "developed" that particular Linux distribution, but there is absolutely no software development involved in that process what so ever.
Of course, some Linux distributions do have real software developers involved, in which case the distribution is put together by people who actually also knows how to program, and someone might also develop specific tools for the distribution, such as the Arch Linux developers who wrote pacman, but not all people involved in a Linux distribution are developers, and often most are not.
If a Linux distribution has some skilled programmers, they themselves can maybe, possibly, manage to backport a fix to an older version of an application that upstream no longer supports, but the sheer amount of packages in a typical distribution makes that extremely rare.