Whither Fedora Legacy? [LWN.net]

Users of the Fedora Core distribution (or any other distribution, for that matter) are well advised to understand its security update policies. Fedora does not backport security fixes into the version of the affected program which was originally shipped with the distribution; instead, the application is simply updated to the current version. Security updates are made for approximately one year, after which the Fedora project moves on to supporting its newer versions. Sometimes the support period is shorter; Fedora Core 2, which was released on May 18, 2004, is currently scheduled to become unsupported on March 21.

It is worth noting that, for as long as it lasts, the Fedora Project's security support is excellent. Updates are released quickly, and are easily tracked using yum, up2date, or apt.

When Fedora stops supporting a release, it "transfers" that release to the Fedora Legacy project. Fedora Legacy is not part of Fedora itself; it is, instead, a separate, community-based effort dedicated to making security updates available to older Fedora Core and Red Hat Linux releases. The project's policy, as stated in the FAQ, is to support old Fedora Core releases for two release cycles after the transfer.

When Fedora Legacy is working well, it is a highly useful service. With a simple tweak to a yum configuration file, it is possible to keep an older system current with almost no effort.

Unfortunately, the last update to Fedora Core 1 came out on December 3, 2004. Any Fedora Core 1 systems which rely upon Fedora Legacy for updates are currently vulnerable to holes in the kernel, xpdf, vim, KDE, PHP, sudo, etc. The process, it would seem, has come to a complete stop for over a month. We attempted to ask (via the posted contact address) what was going on, but got no response.

A look at the project's mailing list shows that there are still signs of life. There is an open issues document which is still being maintained; it shows a substantial number of packages needing updates, along with their bugzilla URLs. There was also one message about the stoppage and whether support for Fedora Core 1 had been dropped:

No, but a combination of lack of manpower, downtime on the build server and the fact that we are releasing Red Hat 7.3, Red Hat 9 and Fedora Core 1 packages together means that the project is grinding to a halt. As soon as the build server comes back I will try and clear a lot of the backlog.

Keeping a distribution current with security patches is hard, tedious, and often thankless work. It's the sort of work that people tend to demand to be paid to do. Projects like Debian and Gentoo demonstrate that this job can be done, and done well, on a volunteer basis, however. But it would appear that the requisite effort is not there for the Fedora Legacy project. Without the needed resources - developer time, systems to build packages on, and testing - a project like Fedora Legacy will fail. People who care about the security of older Fedora Core distributions - and the long-term value of Fedora releases in general - might want to think about what they can do to help the Fedora Legacy project get its process restarted.

(Log in to post comments)

Whither Fedora Legacy?

Posted Jan 20, 2005 14:16 UTC (Thu) by smoogen (subscriber, #97) [Link]

One of the things at least for Debian 'Legacy' is that they are only supporting 'stable' and not 3 back releases. When Woody became stable, Debian Security released a statement saying that in 6 months, they would no longer offer updates for slink. There was a lot of people saying that was horrible and they would switch to something more commercial.. however Debian stuck to it because as they said.. they dont have rhe resources to do so. I think Debian security has said the same thing when Sarge comes out. Woody security will occur for 6 months and then thats it.

I do not know how far back Gentoo goes.. however, as they have a build from source and a portage system.. they can rely on the customers to do all the system builds for them.

To be honest.. I think Fedora Legacy is going to need some major recruiting of home hackers. It seems to have originally tried to get a lot of consulting firms to do this as it was their bacon in the fire, but very few of the 20 or so I remember in the conversation actually dove in. I do not think that their business plans, time, or abilities could afford to try this. And as you say it is a thankless job that gets mostly complaints. It is why companies charge a premium for 'legacy updates' for like old VMS and such.

The only solution I can see is that you need to recruit some home hackers and make sure that they get Free Beer/Pepsi/Whateveryouwanttodrinkmate day at every Con you can think of :).

Debian Security Policy

Posted Jan 20, 2005 16:21 UTC (Thu) by djpig (subscriber, #18768) [Link]

Some comments on that:

1) slink was the release before potato, not before woody. potato was supported for one year after woody release. IIRC, the security team asked some months before that for comments and only little objections were rised
(although one of the objections was concerning a pool of a few thousand
machines, again IIRC). A search in the archives of debian-devel-announce
and/or debian-devel should probably suffice to prove me wrong or right.

2) the intended policy for the next releases can be found in the security
faq: http://www.debian.org/security/faq#lifespan

Whither Fedora Legacy?

Posted Jan 20, 2005 14:57 UTC (Thu) by garloff (subscriber, #319) [Link]

Fixing a security problem by just updating to a newer version often is
the easiest and quickest that a distributor can do.
And some users will appreciate to get version updates this way.

However, there are serious downsides:
* The newer version may behave differently in subtle or less subtle
ways.
* If the package contains libraries ... that other packages depend on,
updating to newer versions may introduce breakage at various hard-to
determine places.

This means that these version updates will worsen the quality and
consistency of the distribution over time. But then, a year of security
updates is not much anyways.
If you plan to keep a distro running for a while, you may well want to
chose a distro that does avoid version updates as security patches.

Fix by version upgrade

Posted Jan 21, 2005 0:02 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

Plus, the new version may have bugs, including security ones.

Version upgrades of major pieces of my system, such as the kernel, are too destabilizing for me, so when I need a security fix, I try to find just the security fix and apply it myself. But I've had a rather hard time finding them, particularly for the Linux kernel. There are copious web sites reporting security flaws and pointing you to a version upgrade that fixes it, but they don't usually have the actual fix.

If anyone knows where one can find individual kernel security fixes, please post.

Whither Fedora Legacy?

Posted Jan 21, 2005 0:42 UTC (Fri) by sbergman27 (guest, #10767) [Link]

If supporting 7.3 is a burden, I would suggest dropping support for it. It's 5 releases old and has been supported for coming up on 3 years already. It clearly does not fall within fedora-legacy's 1-2-3 out policy.

One other possibility that comes to mind is RedHat doing like they are doing with Fedora Extras and providing hardware and an infrustructure and letting the community do the actual work. That way, fedora-legacy would not have to worry about things like getting their build server back into production, and could concentrate their finite resources on getting out timely updates in a predictable fashion.