Fedora products, to upgrade rather than backport?

Tue May 16 14:06:41 UTC 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jesse Keating wrote:
> So in the RHL space, the choice was clear.  Backport whenever possible.
> However the Fedora landscape is different.  "Upstream" Core does not do
> backporting, they more often than not version upgrade to resolve
> security issues.  Why should Legacy be any different?  If we want to be
> transparent to end users we should follow what "upstream" does.
>
> Flames?  Thoughts?
(1)  A backport should be preferred over an outright upgrade in most
circumstances.  One example, we should not upgrade everyone to gcc-4.x
just because upstream decides it fixes or performs better.  This would
break many things especially kernel trees.  2.4 kernels do not compile
with 4.x of gcc and that group doing work on the 2.4 kernel have
abandoned any support for 4.x of gcc.

(2)  System stability should factor into the equation.  Many times the
bleeding edge of technology is highly unstable or problematic.  Like
going from apache 1.x --> 2.0 or from 2.0 to 2.2.  The large steps
often break many things in the switch.  My recent endeavor of updating
subversion for web-dav for apache was a long process of updating
package after package to fill all the new dependencies.  Granted, I
now have a full update for subversion for FC1 if anyone whats to use
it; but, most people wouldn't want to take the chance that something
is broken due to inadequate testing.

(3)  The less changes posed by a backport would be better than the
massive amounts of changes in an upgrade or version bump.  Which will
mean more testing would be required for the later!  This is a
requirement for any large system changes.  That said, even small
changes can have a big impact on a system...  Take the recent patches
to apache for security issues have broken one of the features of
Winki.  I still am unable to login and have not heard anything from
RedHat about any work on fixing this.  I'm not bashing anyone on this
issue; because it is not a frequently used feature when someone
forgets their password.

(4)  We need to be sure we are not opening everyone up for a bigger
problem of some security issue in the future with the newer versions
of software.  One of Linux's claim to security is the diversity of
applications out there and the many differences between all the
different versions.  Virus writers need a stable platform to do their
craft.  If we fall into Windows trap of providing a common platform we
open up the virus world to the Linux community in large scale attack.
Security updates are important, but we also need to have a way of
safeguarding the current users against attacks while the solution is
merged in in a timely manner and fully tested to fix the problem and
proven not to break anything catastrophically.

- -James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEadxwkNLDmnu1kSkRAs9QAJwMFvPxcdPTYR1dvq/Cs6qDP5XdxgCbBKYd
b6GpiAJm+LKCWqIDhC/CBB0=
=fQzC
-----END PGP SIGNATURE-----

-- 
Scanned by ClamAV - http://www.clamav.net