a plan for updates after end of life

Les Mikesell lesmikesell at gmail.com
Sat Feb 9 18:27:00 UTC 2008


Rahul Sundaram wrote:
>
>>
>> Since we cannot give a definitive time period, because it is volunteer
>> based, it is better not to give one.
> 
> It is possible for volunteer based projects to give a better timeframe 
> than merely a ad-hoc maintenance policy. We need to do this in a more 
> organized way for end users to take advantage of this. If say the kernel 
> or ssh isn't maintained and has security issues, would it really be 
> useful for some of the other core packages to get updates?

Packages other than the kernel, ones that provide network services, and 
ones that run setuid are fairly unlikely to cause serious security problems.

>>> For two releases and a month (approx 13 months), we do the full 
>>> updates as we are doing currently. For another say 5 months or till 
>>> the next release we do only security fixes and very major bug fixes 
>>> (as in crashes all the time sort of bugs). We don't necessarily 
>>> backport or guarantee ABI 
>>
>> We don't have the manpower for that.
> 
> How do we really know that? I don't think anybody has really looked at 
> the man power required for doing just critical security fixes for a few 
> months more.

The package maintainer might also have the option of replacing the EOL'd 
fedora package with one rebuilt from the CentOS distro (centosplus for 
the kernel) or the currently maintained fedora version so as not to have 
to continue to backport security patches separately.

-- 
   Les Mikesell
    lesmikesell at gmail.com




More information about the fedora-devel-list mailing list