Whither Fedora Legacy?
It is worth noting that, for as long as it lasts, the Fedora Project's security support is excellent. Updates are released quickly, and are easily tracked using yum, up2date, or apt.
When Fedora stops supporting a release, it "transfers" that release to the Fedora Legacy project. Fedora Legacy is not part of Fedora itself; it is, instead, a separate, community-based effort dedicated to making security updates available to older Fedora Core and Red Hat Linux releases. The project's policy, as stated in the FAQ, is to support old Fedora Core releases for two release cycles after the transfer.
When Fedora Legacy is working well, it is a highly useful service. With a simple tweak to a yum configuration file, it is possible to keep an older system current with almost no effort.
Unfortunately, the last update to Fedora Core 1 came out on December 3, 2004. Any Fedora Core 1 systems which rely upon Fedora Legacy for updates are currently vulnerable to holes in the kernel, xpdf, vim, KDE, PHP, sudo, etc. The process, it would seem, has come to a complete stop for over a month. We attempted to ask (via the posted contact address) what was going on, but got no response.
A look at the project's mailing list shows that there are still signs of life. There is an open issues document which is still being maintained; it shows a substantial number of packages needing updates, along with their bugzilla URLs. There was also one message about the stoppage and whether support for Fedora Core 1 had been dropped:
Keeping a distribution current with security patches is hard, tedious, and
often thankless work. It's the sort of work that people tend to demand to
be paid to do. Projects like Debian and Gentoo demonstrate that this job
can be done, and done well, on a volunteer basis, however. But it would
appear that the requisite effort is not there for the Fedora Legacy
project. Without the needed resources - developer time, systems to build
packages on, and testing - a project like Fedora Legacy will fail. People
who care about the security of older Fedora Core distributions - and the
long-term value of Fedora releases in general - might want to think about
what they can do to help the Fedora Legacy project get its process
restarted.
Posted Jan 20, 2005 3:55 UTC (Thu)
by mattdm (subscriber, #18)
[Link]
Posted Jan 20, 2005 14:16 UTC (Thu)
by smoogen (subscriber, #97)
[Link] (1 responses)
I do not know how far back Gentoo goes.. however, as they have a build from source and a portage system.. they can rely on the customers to do all the system builds for them.
To be honest.. I think Fedora Legacy is going to need some major recruiting of home hackers. It seems to have originally tried to get a lot of consulting firms to do this as it was their bacon in the fire, but very few of the 20 or so I remember in the conversation actually dove in. I do not think that their business plans, time, or abilities could afford to try this. And as you say it is a thankless job that gets mostly complaints. It is why companies charge a premium for 'legacy updates' for like old VMS and such.
The only solution I can see is that you need to recruit some home hackers and make sure that they get Free Beer/Pepsi/Whateveryouwanttodrinkmate day at every Con you can think of :).
Posted Jan 20, 2005 16:21 UTC (Thu)
by djpig (guest, #18768)
[Link]
1) slink was the release before potato, not before woody. potato was supported for one year after woody release. IIRC, the security team asked some months before that for comments and only little objections were rised
2) the intended policy for the next releases can be found in the security
Posted Jan 20, 2005 14:57 UTC (Thu)
by garloff (subscriber, #319)
[Link] (1 responses)
Posted Jan 21, 2005 0:02 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
Version upgrades of major pieces of my system, such as the kernel, are too destabilizing for me, so when I need a security fix, I try to find just the security fix and apply it myself. But I've had a rather hard time finding them, particularly for the Linux kernel. There are copious web sites reporting security flaws and pointing you to a version upgrade that fixes it, but they don't usually have the actual fix.
If anyone knows where one can find individual kernel security fixes, please post.
Posted Jan 21, 2005 0:42 UTC (Fri)
by sbergman27 (guest, #10767)
[Link]
One other possibility that comes to mind is RedHat doing like they are doing with Fedora Extras and providing hardware and an infrustructure and letting the community do the actual work. That way, fedora-legacy would not have to worry about things like getting their build server back into production, and could concentrate their finite resources on getting out timely updates in a predictable fashion.
Posted Jan 27, 2005 21:45 UTC (Thu)
by mbp (subscriber, #2737)
[Link]
All I can find is http://www.gentoo.org/proj/en/glep/glep-0019.html which is at a pretty sketchy state.
Talking about this is on the agenda for FUDCon1. Hopefully some good will come out of that.
Whither Fedora Legacy?
One of the things at least for Debian 'Legacy' is that they are only supporting 'stable' and not 3 back releases. When Woody became stable, Debian Security released a statement saying that in 6 months, they would no longer offer updates for slink. There was a lot of people saying that was horrible and they would switch to something more commercial.. however Debian stuck to it because as they said.. they dont have rhe resources to do so. I think Debian security has said the same thing when Sarge comes out. Woody security will occur for 6 months and then thats it.Whither Fedora Legacy?
Some comments on that:Debian Security Policy
(although one of the objections was concerning a pool of a few thousand
machines, again IIRC). A search in the archives of debian-devel-announce
and/or debian-devel should probably suffice to prove me wrong or right.
faq: http://www.debian.org/security/faq#lifespan
Fixing a security problem by just updating to a newer version often is Whither Fedora Legacy?
the easiest and quickest that a distributor can do.
And some users will appreciate to get version updates this way.
However, there are serious downsides:
* The newer version may behave differently in subtle or less subtle
ways.
* If the package contains libraries ... that other packages depend on,
updating to newer versions may introduce breakage at various hard-to
determine places.
This means that these version updates will worsen the quality and
consistency of the distribution over time. But then, a year of security
updates is not much anyways.
If you plan to keep a distro running for a while, you may well want to
chose a distro that does avoid version updates as security patches.
Plus, the new version may have bugs, including security ones.
Fix by version upgrade
If supporting 7.3 is a burden, I would suggest dropping support for it. It's 5 releases old and has been supported for coming up on 3 years already. It clearly does not fall within fedora-legacy's 1-2-3 out policy.Whither Fedora Legacy?
Does Gentoo have a stable release, to which they backport fixes? If not, all they're doing is upgrading packages when a new release comes out, which seems to fit in your category of "fun" not "work".Gentoo