Security Response Team / EOL

Michael Schwendt bugs.michael at gmx.net
Sat Apr 29 16:37:28 UTC 2006 

On Sat, 29 Apr 2006 17:28:24 +0200, Patrice Dumas wrote:

> > The planning reliability for those who would maintain the legacy branches
> > in replacement of original package owners. Assume we [the FE project]
> > transferred the FE3 branch into maintenance state tomorrow, because the
> > newly formed security response team had had announced that they wanted to
> > tackle the problem of keeping FE3 secure as long as FC3 is maintained by
> > Fedora Legacy. Do we want to keep the gates wide open and permit arbitrary
> > contributors to fill FE3 with new packages which make FE3 grow and may
> > need to be fixed by the security team sooner or later? I think we don't
> > want that. 
> 
> I can't see how it is different for current releases. The same exactly 
> applies for current releases (I substituted FE3 by FE4/FE5...):

The difference is that the number of packages in the legacy release does
not increase, while the active and development branches still grow (and
shrink where orphans are removed from devel). This means the security team
faces a known constant number of packages when they start and try (!) for
the first time whether keeping FE3 in maintenance state is feasible. That
is the minimal level of planning reliability (influenced by a multitude of
factors) they can get. It is exactly like Fedora Legacy started.
Trial-and-error. Start with a few contributors and find out whether the
workload is doable. Else stop supporting a release due to lack of
resources (= often lack of interest). The entire thing is a feasibility
study. Now, if you argue that FE4 and FE5 will contain many more packages
than FE3 when they are declared legacy, well, do we discuss scalability
now as the most-important criterion? Who says that FC4 will be maintained
as long as FC3 or RHL9? Who says that FE3 is still maintained when FE5 is
added to the set? And sure, the security team may need to scale well as FE
grows. But it's more important to start somewhere, avoiding a moving
target.

> A package added in FE4/FE5 will have to be maintained much longer than a 
> package added in FE3. 

?

> And in my opinion it is better to have a package added
> to the FE3 branche by a contributor really willing to maintain that branch 
> than a package added to FE4/FE5 by a contributor that don't want to really 
> take care of that package in the long term.

Once and for all, it does not matter whether individuals may be able to
maintain their packages for a dozen distribution versions, always
up-to-date, always secure, always bug-free. The state of the package
_universe_ for a given distribution version is what matters.

More information about the fedora-extras-list mailing list