Fedora leaves a vast legacy
One such question is: what should be done about unresolved bugs in Fedora Core 2? There are quite a few of those; about 600 for the kernel alone. Is the Fedora Legacy group expected to take on all of those bugs? In most cases, the answer is "no"; Fedora Legacy exists to provide ongoing security support, and not random bug fixes. So most of those bugs could simply be closed. As project member Matthew Miller noted, however, that is not the case for all of them:
(The mentioned Perl vulnerability has been fixed by several distributors, including Red Hat, but not Fedora).
So somebody needs to go through all of the open bugs, figure out which ones are security-related, and close all of the bugs which Fedora Legacy will not even attempt to fix. Not a small job. As it turns out, there does not appear to be consensus even on that approach, however.
Many of the bugs reported for Fedora Core 2 still exist in subsequent Fedora releases. What really needs to be done with those bugs is to redirect them to Fedora Core 3 and hope they get more attention there. Other bugs may have security implications which have not yet become evident. In any case, a wholesale closing of Fedora Core 2 bugs may not be the right thing to do.
When LWN last looked at Fedora Legacy (in January), the project appeared to have stalled. One might well ask how the project will cope with a new distribution and a massive pile of bugs when it has not been able to keep up with the responsibilities it already had. The good news is that, in February, the Fedora Legacy process got moving again, and the flow of updates has resumed. Fedora Legacy is back in the business of providing support for older Fedora Core releases - and Red Hat Linux 7.3 and 9 as well. One should note, however, that no advisories have come out, as of this writing, since March 24.
Fedora Legacy is a small, volunteer-driven project. It remains to
be seen whether it can take on another large distribution now - followed by Fedora
Core 3 sometime around September. At some point, something will have
to give. At the FUDCon meeting in February, Red Hat said
that it wanted to beef up the Fedora Project to gain back some of the
"early adopters" it had alienated. Perhaps providing longer-term, stable
support to the Fedora releases would be a good step in that direction.
Posted Apr 14, 2005 3:57 UTC (Thu)
by mattdm (subscriber, #18)
[Link]
I've also already gone through the open FC2 bugs actually *marked* as security bugs and moved them to Legacy.
More on the bigger picture surrounding this this tomorrow. Need to go to bed now. :)
Posted Apr 14, 2005 6:19 UTC (Thu)
by cdamian (subscriber, #1271)
[Link] (7 responses)
At the moment I upgrade four machines at home, whenever there is a new release. This means that I haven't had to use Fedora Legacy with Fedora yet. I use it for RH9, but even there it is not very effective. Usually I have to build fixed RPMs myself, unless I want to wait a long time for a fix.
In the near future I probably will go away from Fedora though. It is just to much work to keep up with it. Then I will choose one of Red Hat Enterprise clones.
Posted Apr 14, 2005 9:52 UTC (Thu)
by alspnost (guest, #2763)
[Link]
I think Ubuntu is the way forward now - if not for me, for my "customers". I'm sure it also has lots of updates too, but the whole thing just seems more solid and better-planned. Leading edge, but not continually-bleeding edge.
Posted Apr 14, 2005 12:41 UTC (Thu)
by skvidal (guest, #3094)
[Link] (2 responses)
-sv
Posted Apr 14, 2005 12:48 UTC (Thu)
by corbet (editor, #1)
[Link] (1 responses)
Posted Apr 14, 2005 12:53 UTC (Thu)
by skvidal (guest, #3094)
[Link]
remember, at this point red hat is maintaining:
A non-trivial amount of work.
I think the best way to increase the lifespan is to decrease the packages in core. If we can get core down to 2 cds or so and offload package maintenance of the other items to external developers in fedora extras then it'd make life a lot better for maintaining core longer.
-sv
Posted Apr 14, 2005 13:02 UTC (Thu)
by mattdm (subscriber, #18)
[Link]
Posted Apr 15, 2005 1:42 UTC (Fri)
by brouhaha (subscriber, #1698)
[Link] (1 responses)
Posted Apr 15, 2005 6:03 UTC (Fri)
by cdamian (subscriber, #1271)
[Link]
I am only using fedora because I was using RH7.x/RH9 before and I was hopeing for a similar stability.
Posted Apr 14, 2005 6:22 UTC (Thu)
by Duncan (guest, #6647)
[Link] (2 responses)
"Early adopter" surely must mean something far different to the author
than it does to me. What sort of "early adopter" would be concerned
with /anything/ in Fedora Legacy, wouldn't have been on FC3 long ago, and
likely even be on FC4-test and not even concerned about FC-3 any longer --
if they were on FC/RH at all, which would seem the original point
of the RH statement.
Perhaps providing "long-term, stable support" is a desirable thing to
do, indeed, for the conservative corporate types, but it certainly seems
odd to see it juxtaposed with "early adopter", since said "early adopter"
by any sane definition I know of, cares much more about freshness and
support at the leading/bleeding edge, than back in what they'd surely term
"ancient history".
Duncan (Who considers himself one of those "early adopters", on Gentoo
~amd64, ~ of course meaning unstable.)
Posted Apr 14, 2005 9:38 UTC (Thu)
by ballombe (subscriber, #9523)
[Link] (1 responses)
Nothing to do with people taking a pride to run as much beta release of softwares as possible.
Posted Apr 15, 2005 6:20 UTC (Fri)
by Duncan (guest, #6647)
[Link]
Posted Apr 14, 2005 6:56 UTC (Thu)
by hisdad (subscriber, #5375)
[Link] (4 responses)
When I started deploying linux for more general mail/internet use I used, 7.0, 7.1,7.2,7.3, 8, 9
Then I just blew a fuse. No way could i hope to update and maintain these sites. For while I just sat and suffered, then I heard about gentoo.
Even so, I have a dozen gentoo sites doing a system level upgrade weekly.
Gentoo is not universally appropiate, however I'm off the hamster wheel of RH updates (same comment for all the others i've not tried)
Self updating software is great!
I think back on RH like I think of bell bottemed jeans, Fun, but really!
--dad
Posted Apr 14, 2005 14:47 UTC (Thu)
by cdmiller (guest, #2813)
[Link] (1 responses)
We ditched RedHat at version 9.0, went to Mandrake. The urpmi tools have us doing updates as much as twice per week if we like from our local mirror. I had been using RedHat server side since version 4.2, but started using Debian client side while RedHat 6.2 was on the servers. Better package management with automatic dependency resolution is definitely the way to go these days. There's really no excuse to not have it. Urpmi or apt makes full version upgrades a breeze.
Posted Apr 14, 2005 16:53 UTC (Thu)
by skvidal (guest, #3094)
[Link]
yum was available for rhl 7.2 and up2date has been in there since rhl 7.0, iirc.
Those auto-satisify dependencies and update systems.
-sv
Posted Jan 26, 2006 22:11 UTC (Thu)
by nix (subscriber, #2304)
[Link] (1 responses)
(And it's just a dump/restore cycle. No harder than any other x.y upgrade of PostgreSQL.)
Posted Jan 26, 2006 22:14 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Apr 15, 2005 3:28 UTC (Fri)
by miallen (guest, #10195)
[Link] (2 responses)
Also, I'm personally a little urq'd that there's no distro that lasts long enough to get any freakn' work done on it. This Fedora legacy thing should be given higher priority IMHO. I'm still running RH 7.3 and my firebird install is holier than IE 4 at this point. Unfortunately I didn't learn of Fedora legacy until long after upgrading with many many .src.rpms so I think it's a little late to use it.
Posted Apr 15, 2005 6:43 UTC (Fri)
by khim (subscriber, #9252)
[Link] (1 responses)
Are the Fedora 2, 3, 4, or whatever packages really that different? Yes, it's that different. Couldn't version control be applied in such a way that fixing a bug in 4 can be automatically applied to 3, 2, etc? No. You need to build new binary packages for all configurations and test them. Also, I'm personally a little urq'd that there's no distro that lasts long enough to get any freakn' work done on it. There is. It's called RHEL (not clones - clones tend to track only last version of RHEL). In fact I think it's the only sane way to have "distro that lasts long enough to get any freakn' work done on it": either you have distro in constant upgrade state (like Gentoo) or you need to pay someone. It's quite simple actually: people dislike to mess with old packages for free. Even Debian is not able to find enough volunteers (thus mozilla in latest release had known security holes on release day!).
Posted Apr 16, 2005 0:51 UTC (Sat)
by miallen (guest, #10195)
[Link]
No. You need to build new binary packages for all configurations and test them.
I didn't mean to suggest using a VCS for storing binaries. How many distros actually modify the source of cURL, zlib, python, etc? Sure some things like Samba, bind, and apache are tweeked to integrate with the distro's management tools but there are many packages that are just installed by default without any modification. Upgrading these packages is simply a matter of applying a patch, setting the config flags, and rebuilding the package with appropriate dependencies. It's amazing to me that whenever there's a bug in zlib that each distro has to patch it independantly.
For what it's worth, there are 431 open kernel bugs in FC2 right now, and 1161 total -- so the kernel bugs actually represent a significant portion of the whole, and actually make the picture look rather better, given that Dave Jones says he's "99.99999999999999% sure there's no security implications of any of them". Fedora leaves a vast legacy
I also think that the short release cycle of Fedora is a problem. a more stable Fedora
Yes, I've mostly given up on Fedora already. It was exciting for a while, but the continual tidal wave of updates just gets beyond a joke. I had scripts and build systems to create pre-updated ISOs etc, but even then, someone with a month-old ISO will have hundreds of MB of updates to swallow over the network....a more stable Fedora
The release cycle of Fedora Core and the release cycle of Red Hat Linux are the same. Every 6 months a new release. No difference there at all. The only difference is that Red Hat only supports a release for 2 iterations rather than for 3 years like they did for RHL.a more stable Fedora
Actually, Fedora supports a release for about an iteration and a half. FC2 has gone unsupported, but FC4 isn't due until June... Full support for two iterations plus a little would help a lot; then one could get away with upgrading once per year, which isn't that bad for a lot of systems.
Not quite two iterations
Releases go over to legacy on the same day as the release of the second test release of an iteration+1. It was setup this way so fedora developers wouldn't be distracted by updates for release-2 while trying to get the current release out the door.Not quite two iterations
rhel 2.1
rhel 3
rhel 4
fedora core (2 releases at any given time)
and trying to develop for the next release.
If you're building fixed RPMs for yourself already, why not contribute to the Fedora Legacy project? The more people working on it, the less any one person has to do.a more stable Fedora
a more stable Fedora
I also think that the short release cycle of Fedora is a problem.
If you don't want a short release cycle, why are you using Fedora? That's
one of the main objectives of Fedora. Perhaps you'd be better off with a Debian-based distribution, or one of the community-supported derivatives of RHEL such as Centos, or even just buying RHEL.
That is what I said, isn't it? I am going to switch to Centos.a more stable Fedora
At the FUDCon meeting in February, Red Hat said that it wanted to
beef up the Fedora Project to gain back some of the "early adopters" it
had alienated. Perhaps providing longer-term, stable support to the Fedora
releases would be a good step in that direction.
"Early Adopters" and "Long Term Support" ???
I suspect 'Early adopters' here 'Early adopters of RH', i.e. people that started using RedHat as far back as 1998 or even sooner and were sorry to here RH 9 was the last public RH release."Early Adopters" and "Long Term Support" ???
OK, that makes a bit more sense. I'm just not used to seeing the terms "Early Adopters" and "Long Term Support" ???
juxtaposed like that, as in most contexts it makes no sense, and until
your explanation, I couldn't see how it made sense here, either.
Duncan
I've been using Rh since 5.X.Play it again, sam
I've still got sites running 6.X that will never be upgraded, since they are running Xenix software.
It was NOT an easy transition. Nor is it entirely painless in operation. The recent postgresql 8.0.2 was a kick in the ghoulies.
Every month I log in and do manual upgrades for other software, but with 'screen' this is not a problem.
Yeah,Play it again, sam
red hat has had up2date and yum for a long, long, long time now.Play it again, sam
PostgreSQL 8.0.2 is `recent'?Play it again, sam
Oops. I didn't notice I'd jumped into the past. How embarrassing.Play it again, sam
Are the Fedora 2, 3, 4, or whatever packages really that different? Couldn't version control be applied in such a way that fixing a bug in 4 can be automatically applied to 3, 2, etc? It seems silly to have to duplicate so much work. In fact it would be nice if there was a single repository of "common" packages for all distros. Each distro could elect to inherit specific patches or branch at the file level. Of course I doubt such a version control system exists.Package Version Control
Package Version Control
Couldn't version control be applied in such a way that fixing a bug in 4 can be automatically applied to 3, 2, etc?
Package Version Control