[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Some people mis interpret Fedora's Mission Statement.

Jeff Spaleta wrote:
> I'm not going to attempt to speak for anyone else as to whether an
> extended maintenence period is necessary or even desirable.  I do not
> desire it, and if the period would extended I would not be able to
> maintain the packages for that extended period of time and would
> require additional co-maintainers who would do that, while I
> concentrated testing for the newer releases.

Almost all the proposals focused on security updates. Is it really that hard
to provide security fixes only (and no other fixes) for the 13+ month old
releases (and "business as usual" for the 12- month old ones)? This is a
serious question, not a rhetorical one. I think it depends on the packages,
really: For KDE, the work would be near nil as there are very few security
issues in KDE (especially in proportion to the size of the packages) and
for those, KDE upstream publishes backported fixes even for pretty old
releases. And there are plenty of small packages in Fedora which may never
see a real security issue in their entire life. On the other hand, core,
security-critical packages like the kernel, servers, web browsers, image
processing libraries etc. are the real sources of trouble and those the
defunct Fedora Legacy project struggled with the most. (For example
xine-lib is a royal PITA security-wise.)

By the way, if you think security fixes only would be a crappy form
of "support", consider that it's all Debian is ever offering for their
stable releases. So I don't think dropping back to that model after 13
months of full upgrade support would be a bad thing if we could pull it
off. But the problem is that the amount of work is hard to quantify and
that we can't really experiment with it without the infrastructure to do
so, which is near impossible to set up outside of Fedora (it took years to
get RPM Fusion set up - sure, there are plenty of small repositories with
lower-tech infrastructure, such as my CalcForge repository, but there's no
way that infrastructure can be used for a project like this, it starts from
bandwidth (there's no way the VPS which hosts repo.calcforge.org can serve
OO.o security updates, we'd exceed our bandwidth quota in a jiffy), but it
also touches things like an SCM (I don't even have an SCM set up for the
CalcForge specfiles) and a build system (having a single person run mock by
hand to do all the builds as I do for the CalcForge repository isn't going
to scale at all)) and which Fedora is not ready to provide.

FWIW, I personally have near nil interest in old releases (I think running
old software is not what Fedora is for), but I would be willing to take
care of security fixes in the old releases for the packages I maintain or
comaintain because for those packages, except for xine-lib (which can be
dealt with by just syncing the version upgrades from the newer releases
when they fix security issues, they don't break API/ABI except for plugins,
which are all in the single xine-lib-extras-freeworld package), it's a
negligible amount of work compared to the version updates and bugfixes we
regularly do in the non-EOL releases.

        Kevin Kofler

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]