[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: a plan for updates after end of life



Rahul Sundaram wrote:


Since we cannot give a definitive time period, because it is volunteer
based, it is better not to give one.

It is possible for volunteer based projects to give a better timeframe than merely a ad-hoc maintenance policy. We need to do this in a more organized way for end users to take advantage of this. If say the kernel or ssh isn't maintained and has security issues, would it really be useful for some of the other core packages to get updates?

Packages other than the kernel, ones that provide network services, and ones that run setuid are fairly unlikely to cause serious security problems.

For two releases and a month (approx 13 months), we do the full updates as we are doing currently. For another say 5 months or till the next release we do only security fixes and very major bug fixes (as in crashes all the time sort of bugs). We don't necessarily backport or guarantee ABI

We don't have the manpower for that.

How do we really know that? I don't think anybody has really looked at the man power required for doing just critical security fixes for a few months more.

The package maintainer might also have the option of replacing the EOL'd fedora package with one rebuilt from the CentOS distro (centosplus for the kernel) or the currently maintained fedora version so as not to have to continue to backport security patches separately.

--
  Les Mikesell
   lesmikesell gmail com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]