[libvirt] retiring v0.9.6-maint

[Ján Tomko]

On 09/18/2014 05:15 PM, Eric Blake wrote:
> On 09/18/2014 02:36 AM, Daniel P. Berrange wrote:
>> On Wed, Sep 17, 2014 at 04:24:07PM -0600, Eric Blake wrote:
>>> Any objections to retiring the v0.9.6-maint branch?  After all, we have
>>> already retired the v0.9.11-maint branch
>>> (http://libvirt.org/git/?p=libvirt.git;a=commit;h=cd0d348ed), and the
>>> only activity on v0.9.6-maint since 0.9.6.4 was released in January 2013
>>> was the backport of a single CVE fix.  The branch no longer builds
>>> cleanly on Fedora 20, and while I could identify patches to backport to
>>> fix the build situation, it's not worth my time if we can just retire
>>> the branch.
>>
>> FWIW, I'm not really a fan of deleting the branches. Is there any harm
>> to just leaving it there idle ?
> 
> The branches aren't deleted, per se, just a new commit added on top of
> the branch that declares the intent.  For example, all you see if you
> check out v0.9.11-maint is this README file:
> 
> http://libvirt.org/git/?p=libvirt.git;a=blob;f=README;h=68aeed1ae7d131661f2ba07eff1b4ae16ac4f3b8;hb=cd0d348ed
> 
> The branch would still usable by checking out v0.9.11-maint^ as a
> detached head, so the history is still there.  All I'm proposing is
> documenting that we aren't going to try and port security fixes to the
> branch any longer, because no one appears to be actively using it.
> 

I think we need to be clearer what and how is maintained on the website.

The Security Process [1] states:
> The libvirt community maintains one or more stable release branches at any
> given point in time. The security team will aim to publish fixes for GIT
> master (which will become the next major release) and each currently
> maintained stable release branch. The distro maintainers will be
> responsible for backporting the officially published fixes to other release
> branches where applicable.

But in practice, CVE fixes are pushed to all -maint branches, not just those
with releases.

http://libvirt.org/downloads.html mentions that supported -maint branches are
considered during CVE analysis, but it's unclear on the definition of support.

This paragraph about hourly snapshots:
> These snapshots should be usable, but we make no guarantees about their
> stability; furthermore, they should NOT be considered formal releases, and
> they may have transient security problems that will not be assigned a CVE.

may give the impressions that the CVEs are fixed in the maintenance releases,
even when they're only backported on the branches.

(The wiki [2] lists past maintenance releases, but no indication whether there
will be more releases).

Since stable releases were made out of 0.9.6, I think we should mention on the
wiki/download page, that no more releases are going to be made and they are no
longer supported (same for 0.9.11 and maybe 0.10.2 too?), in addition
to/instead of deleting the content of the branch.

(Also, maintaining 20 releases is IMHO a waste of time, personally I only
backport my important fixes to the latest Fedora release where I know it will
be picked up in the next release and the latest -maint branch. Does anyone use
the -maint branches without maintenance releases? IIRC they were created for
Gentoo, but it looks like all the current versions use the vanilla sources,
with no backport from the maint branches [3]).

Jan

[3] http://packages.gentoo.org/package/app-emulation/libvirt
[2] http://wiki.libvirt.org/page/Maintenance_Releases
[1] http://libvirt.org/securityprocess.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140919/bee90992/attachment-0001.sig>