RFC: Rethinking EPEL at FUDcon Lawrence 2013

Greg Swift gregswift at gmail.com
Wed Dec 5 14:47:23 UTC 2012 

On Tue, Dec 4, 2012 at 5:46 PM, Ken Dreyer <ktdreyer at ktdreyer.com> wrote:

> On Tue, Dec 4, 2012 at 3:48 PM, Greg Swift <gregswift at gmail.com> wrote:
> > I'm personally inclined to lean toward the concept I was pushing in the
> > thread discussing multiple versions [1].  I'd imagine that a 'api stable'
> > repo and a 'rolling' repo would be less support effort than attempting to
> > manage >8 repositories per major release and the security updates that
> need
> > to be applied on older version.
>
> My main concern with multiple EPEL repos is that users will be in a
> worse condition security-wise. Many users will download an application
> from the "api stable" repo, but they will not realize that no one is
> doing backports any more, because all the interested EPEL maintainers
> left that behind to focus on the "rolling" repo.
>
> The analogy that comes to my mind is Fedora: What if we kept old
> Fedora releases going back all the way to Fedora 6 open to maintainers
> to patch on a voluntary basis, and we never really announced EOL for
> any Fedora release? Fedora users would have to know enough to keep
> jumping along with whatever's maintained.
>
> It seems to me that we have to choose between occasional instability
> and insecurity. I'd rather EPEL's reputation err on the side of
> instability rather than insecurity.
>

I can back that line of thought.  Plus providing 1 path means less change!
:)

>
> > So, unless someone wants to turn EPEL into a paid service, #1 is out
> > (hey...  thats an interesting concept...)
>
> Maybe money does have to enter the picture at some point. Corporations
> should commit to pay salaries for more developers to do EPEL backports
> if it's important to their businesses.
>

So... anyone got any motivation in pushing a product internally @ Red Hat
that does this? :)


Also.... I hadn't mentioned it before on here, because in general
mentioning tends to mean you have to do it and I don't really have the
cycles available.  But as of this morning I figured I'd float the concept
anyways.

What would it take to basically have a yum plugin would check a
'notification' feed (something simple like rss or atom) about a specific
repository.  Notifications found on that feed would throw messages in the
yum output and /var/log/messages.  This feed could provide notices like
'Hey, this version is deprecated and insecure, you need to update'.  An
extension of this might be that it marks the package as an 'exclude' if it
can't just be updated without interference.  This would allow a
notification method, and a way for users to not get an update if its going
to break them, but also allowing the main page to just continuously be
updated.

Then this package could possibly be a required package from the
epel-release package.

-greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/epel-devel-list/attachments/20121205/1d431e1d/attachment.htm>

More information about the epel-devel-list mailing list