Again: EOL Policy for Fedora Extras

[Thorsten Leemhuis]

Hi all!


We still have no defined EOL Policy for Fedora Extras -- there were some
ideas and concepts floating around, but no real policy came out of it so
far. I'd really like to get this solved somehow soon. That's why I'm
writing this mail. 


First I'll try to summarize all the important parts of the past
discussions. Please tell me if I forgot anything important. Note, I
tried to keep the list short and only covered the most important parts
without going into the details.


Some general ideas, thoughts and quotes I found in the IRC and
mailinglist-archives:


- Now that FC3 was transfered to Legacy we need some kind of policy for
FE3, too -- users want to know if FE3 is still completely supported. 

- We are a voluntary driven project -- we can't force any packages to
still maintain FE3 if he has no interest in it. If we try it will fail.
On the other hand: We are volunteers, and if volunteers want to do
something, you shouldn't prevent them from doing it -- You should make
it as easy as possible, otherwise they will feel peed.

- We have no security team (yet); It's unclear how many packages in FE3
might have well known security problems atm (but the same is true for
FE4 and FE-devel, too)

- Core has a fairly clear policy, we need a long term policy for Extras,
too. Even if we might need to revisit parts of it if something does not
work out as planed.

- We cannot offer an old FE which is out-of-date or possible insecure at
least partially.

- It's not helpful, when some packagers still maintain it [FE3] while
others don't -- either the full show or none at all

- It would be a disservice to the community to pretend that [FE3] it's
as maintained as FE4/FE5

- It's Extras. It's unsupported by nature.

- How many fire and forget packages are sitting in Extras?



And some concrete plans:

- keep FE3 fully alive -- it's of interest for RHEL4/CentOS and/or
Aurora

- shove FE3 into a Maintenance state for now -- no new packages, no big
updates but still updates in case of security problems

- shove FE3 to Fedora Legacy

- drop FE3 at the same time when FC3 is moved to Fedora Legacy

- we create an extras legacy team that takes over FE3 when FC3 is
transfered to legacy 



So, how do we get out of the dilemma? I looks like some of the ideas are
quite contrary, so we probably can't find a solution that fits everyone.
Sigh -- this mail will probably result in a long discussion again.
That's okay, but please keep in mind that we should come out of the
discussion with a workable policy in the end. We can revisit that later
if things change.


So, let's look at some of the concrete plans a bit closer:


- Shove FE3 to Fedora Legacy

Fedora Legacy has indicated that they neither are interested nor have
the manpower to also maintain FE. Seems like a dead end.


- Drop FE3 completely 

Well, that has to happen at some point in time. But doing it at the same
time when the corresponding Core release is transferred to legacy sounds
"a bit to early" for me. A later time like "One {week,month} after FC5
was released" is also quite early, but with the current state of this
discussions it seems like a acceptable solution for now until we have a
better plan. 


- keep FE3 fully alive for RHEL4/CentOS and/or Aurora; some people that
suggested this even want to take over the complete maintainer-ship for
all packages in FE3
( https://www.redhat.com/archives/fedora-extras-list/2006-February/msg00652.html )

Well, I can understand this idea. But there are some things that I don't
like: 

-- Maintaining FE3 is a job that needs more then one packager. Two or
three is a minimum IMHO and AFAICS. 

-- Maybe the next is only a result of my conservative mind, but I'll
write it down here anyway: IMHO most people that still use FC3 due it
often for one reason: They have a stable system or web-server that does
everything what they want -- they don't want fancy new stuff or updates
that bear a risk of breaking things. Those people shouldn't get fancy
new stuff -- they should only get security updates for such "old"
distros. If they need newer stuff a updated Fedora Core is the way to
go. 


- We create an Extras Legacy Team that takes over FE3 when FC3 is
transfered to legacy 

I don't think that we find enough people for it. But maybe I'm wrong. If
a Team/SIG/Task Force shows up that is willing and *capable* to to this
(maybe in arrangement with the current extras maintainers if those are
still interested in maintaining their packages for FE3) then I think
this is a acceptable option. But I don't see such a group anywhere ATM.


- shove FE3 into a Maintenance state for now -- no new packages, no big
updates but still updates from the usual maintainers in case of security
problems

Sound like the best idea so far -- but how to we make sure that the
Extras packagers still maintain their stuff? We can't. We need a
Security SIG that oversees this and jumps in when the maintainer forgets
to fix his package. FE4 would benefit from such a Security SIG, too.

And even if we shove FE3 into a Maintenance state -- we need to define a
EOL date for FE3 in any case. When? Release of FC6? FC7? When legacy
drops the belonging Fedora Core?  


Opinions please. tia!


CU
thl 
-- 
Thorsten Leemhuis <fedora at leemhuis.info>