Fedora leaves a vast legacy [LWN.net]

The announcement of the second Fedora Core 4 test release heralded a somewhat less-publicized event: support for Fedora Core 2 has been transferred to the Fedora Legacy Project. This is only the second time such a transition has occurred, so there are still a number of interesting questions being raised about just how this transition is supposed to work.

One such question is: what should be done about unresolved bugs in Fedora Core 2? There are quite a few of those; about 600 for the kernel alone. Is the Fedora Legacy group expected to take on all of those bugs? In most cases, the answer is "no"; Fedora Legacy exists to provide ongoing security support, and not random bug fixes. So most of those bugs could simply be closed. As project member Matthew Miller noted, however, that is not the case for all of them:

Um, because some of them are security bugs that they never got around to fixing. That's kind of annoying (Fedora security process definitely seems to be disturbingly low priority -- see the perl-suid buffer overflow trivial root exploit, for example) but I don't really care whose responsibility it ought to be, since there are people who are depending on us to make available patches to secure their systems.

(The mentioned Perl vulnerability has been fixed by several distributors, including Red Hat, but not Fedora).

So somebody needs to go through all of the open bugs, figure out which ones are security-related, and close all of the bugs which Fedora Legacy will not even attempt to fix. Not a small job. As it turns out, there does not appear to be consensus even on that approach, however.

Many of the bugs reported for Fedora Core 2 still exist in subsequent Fedora releases. What really needs to be done with those bugs is to redirect them to Fedora Core 3 and hope they get more attention there. Other bugs may have security implications which have not yet become evident. In any case, a wholesale closing of Fedora Core 2 bugs may not be the right thing to do.

When LWN last looked at Fedora Legacy (in January), the project appeared to have stalled. One might well ask how the project will cope with a new distribution and a massive pile of bugs when it has not been able to keep up with the responsibilities it already had. The good news is that, in February, the Fedora Legacy process got moving again, and the flow of updates has resumed. Fedora Legacy is back in the business of providing support for older Fedora Core releases - and Red Hat Linux 7.3 and 9 as well. One should note, however, that no advisories have come out, as of this writing, since March 24.

Fedora Legacy is a small, volunteer-driven project. It remains to be seen whether it can take on another large distribution now - followed by Fedora Core 3 sometime around September. At some point, something will have to give. At the FUDCon meeting in February, Red Hat said that it wanted to beef up the Fedora Project to gain back some of the "early adopters" it had alienated. Perhaps providing longer-term, stable support to the Fedora releases would be a good step in that direction.

(Log in to post comments)

a more stable Fedora

Posted Apr 14, 2005 9:52 UTC (Thu) by alspnost (guest, #2763) [Link]

Yes, I've mostly given up on Fedora already. It was exciting for a while, but the continual tidal wave of updates just gets beyond a joke. I had scripts and build systems to create pre-updated ISOs etc, but even then, someone with a month-old ISO will have hundreds of MB of updates to swallow over the network....

I think Ubuntu is the way forward now - if not for me, for my "customers". I'm sure it also has lots of updates too, but the whole thing just seems more solid and better-planned. Leading edge, but not continually-bleeding edge.

a more stable Fedora

Posted Apr 14, 2005 12:41 UTC (Thu) by skvidal (subscriber, #3094) [Link]

The release cycle of Fedora Core and the release cycle of Red Hat Linux are the same. Every 6 months a new release. No difference there at all. The only difference is that Red Hat only supports a release for 2 iterations rather than for 3 years like they did for RHL.

-sv

Not quite two iterations

Posted Apr 14, 2005 12:48 UTC (Thu) by corbet (editor, #1) [Link]

Actually, Fedora supports a release for about an iteration and a half. FC2 has gone unsupported, but FC4 isn't due until June... Full support for two iterations plus a little would help a lot; then one could get away with upgrading once per year, which isn't that bad for a lot of systems.

Not quite two iterations

Posted Apr 14, 2005 12:53 UTC (Thu) by skvidal (subscriber, #3094) [Link]

Releases go over to legacy on the same day as the release of the second test release of an iteration+1. It was setup this way so fedora developers wouldn't be distracted by updates for release-2 while trying to get the current release out the door.

remember, at this point red hat is maintaining:
rhel 2.1
rhel 3
rhel 4
fedora core (2 releases at any given time)
and trying to develop for the next release.

A non-trivial amount of work.

I think the best way to increase the lifespan is to decrease the packages in core. If we can get core down to 2 cds or so and offload package maintenance of the other items to external developers in fedora extras then it'd make life a lot better for maintaining core longer.

-sv

a more stable Fedora

Posted Apr 14, 2005 13:02 UTC (Thu) by mattdm (subscriber, #18) [Link]

If you're building fixed RPMs for yourself already, why not contribute to the Fedora Legacy project? The more people working on it, the less any one person has to do.

a more stable Fedora

Posted Apr 15, 2005 1:42 UTC (Fri) by brouhaha (subscriber, #1698) [Link]

I also think that the short release cycle of Fedora is a problem.

If you don't want a short release cycle, why are you using Fedora? That's one of the main objectives of Fedora. Perhaps you'd be better off with a Debian-based distribution, or one of the community-supported derivatives of RHEL such as Centos, or even just buying RHEL.

a more stable Fedora

Posted Apr 15, 2005 6:03 UTC (Fri) by cdamian (subscriber, #1271) [Link]

That is what I said, isn't it? I am going to switch to Centos.

I am only using fedora because I was using RH7.x/RH9 before and I was hopeing for a similar stability.

"Early Adopters" and "Long Term Support" ???

Posted Apr 14, 2005 6:22 UTC (Thu) by Duncan (guest, #6647) [Link]

At the FUDCon meeting in February, Red Hat said that it wanted to beef up the Fedora Project to gain back some of the "early adopters" it had alienated. Perhaps providing longer-term, stable support to the Fedora releases would be a good step in that direction.

"Early adopter" surely must mean something far different to the author than it does to me. What sort of "early adopter" would be concerned with /anything/ in Fedora Legacy, wouldn't have been on FC3 long ago, and likely even be on FC4-test and not even concerned about FC-3 any longer -- if they were on FC/RH at all, which would seem the original point of the RH statement.

Perhaps providing "long-term, stable support" is a desirable thing to do, indeed, for the conservative corporate types, but it certainly seems odd to see it juxtaposed with "early adopter", since said "early adopter" by any sane definition I know of, cares much more about freshness and support at the leading/bleeding edge, than back in what they'd surely term "ancient history".

Duncan (Who considers himself one of those "early adopters", on Gentoo ~amd64, ~ of course meaning unstable.)

"Early Adopters" and "Long Term Support" ???

Posted Apr 14, 2005 9:38 UTC (Thu) by ballombe (subscriber, #9523) [Link]

I suspect 'Early adopters' here 'Early adopters of RH', i.e. people that started using RedHat as far back as 1998 or even sooner and were sorry to here RH 9 was the last public RH release.

Nothing to do with people taking a pride to run as much beta release of softwares as possible.

"Early Adopters" and "Long Term Support" ???

Posted Apr 15, 2005 6:20 UTC (Fri) by Duncan (guest, #6647) [Link]

OK, that makes a bit more sense. I'm just not used to seeing the terms
juxtaposed like that, as in most contexts it makes no sense, and until
your explanation, I couldn't see how it made sense here, either.

Duncan

Play it again, sam

Posted Apr 14, 2005 6:56 UTC (Thu) by hisdad (subscriber, #5375) [Link]

I've been using Rh since 5.X.
I've still got sites running 6.X that will never be upgraded, since they are running Xenix software.

When I started deploying linux for more general mail/internet use I used, 7.0, 7.1,7.2,7.3, 8, 9

Then I just blew a fuse. No way could i hope to update and maintain these sites. For while I just sat and suffered, then I heard about gentoo.
It was NOT an easy transition. Nor is it entirely painless in operation. The recent postgresql 8.0.2 was a kick in the ghoulies.

Even so, I have a dozen gentoo sites doing a system level upgrade weekly.
Every month I log in and do manual upgrades for other software, but with 'screen' this is not a problem.

Gentoo is not universally appropiate, however I'm off the hamster wheel of RH updates (same comment for all the others i've not tried)

Self updating software is great!

I think back on RH like I think of bell bottemed jeans, Fun, but really!

--dad

Play it again, sam

Posted Apr 14, 2005 14:47 UTC (Thu) by cdmiller (subscriber, #2813) [Link]

Yeah,

We ditched RedHat at version 9.0, went to Mandrake. The urpmi tools have us doing updates as much as twice per week if we like from our local mirror. I had been using RedHat server side since version 4.2, but started using Debian client side while RedHat 6.2 was on the servers. Better package management with automatic dependency resolution is definitely the way to go these days. There's really no excuse to not have it. Urpmi or apt makes full version upgrades a breeze.

Play it again, sam

Posted Apr 14, 2005 16:53 UTC (Thu) by skvidal (subscriber, #3094) [Link]

red hat has had up2date and yum for a long, long, long time now.

yum was available for rhl 7.2 and up2date has been in there since rhl 7.0, iirc.

Those auto-satisify dependencies and update systems.

-sv

Play it again, sam

Posted Jan 26, 2006 22:11 UTC (Thu) by nix (subscriber, #2304) [Link]

PostgreSQL 8.0.2 is `recent'?

(And it's just a dump/restore cycle. No harder than any other x.y upgrade of PostgreSQL.)

Play it again, sam

Posted Jan 26, 2006 22:14 UTC (Thu) by nix (subscriber, #2304) [Link]

Oops. I didn't notice I'd jumped into the past. How embarrassing.

Package Version Control

Posted Apr 15, 2005 3:28 UTC (Fri) by miallen (guest, #10195) [Link]

Are the Fedora 2, 3, 4, or whatever packages really that different? Couldn't version control be applied in such a way that fixing a bug in 4 can be automatically applied to 3, 2, etc? It seems silly to have to duplicate so much work. In fact it would be nice if there was a single repository of "common" packages for all distros. Each distro could elect to inherit specific patches or branch at the file level. Of course I doubt such a version control system exists.

Also, I'm personally a little urq'd that there's no distro that lasts long enough to get any freakn' work done on it. This Fedora legacy thing should be given higher priority IMHO. I'm still running RH 7.3 and my firebird install is holier than IE 4 at this point. Unfortunately I didn't learn of Fedora legacy until long after upgrading with many many .src.rpms so I think it's a little late to use it.

Package Version Control

Posted Apr 15, 2005 6:43 UTC (Fri) by khim (subscriber, #9252) [Link]

Are the Fedora 2, 3, 4, or whatever packages really that different?

Yes, it's that different.

Couldn't version control be applied in such a way that fixing a bug in 4 can be automatically applied to 3, 2, etc?

No. You need to build new binary packages for all configurations and test them.

Also, I'm personally a little urq'd that there's no distro that lasts long enough to get any freakn' work done on it.

There is. It's called RHEL (not clones - clones tend to track only last version of RHEL).

In fact I think it's the only sane way to have "distro that lasts long enough to get any freakn' work done on it": either you have distro in constant upgrade state (like Gentoo) or you need to pay someone. It's quite simple actually: people dislike to mess with old packages for free. Even Debian is not able to find enough volunteers (thus mozilla in latest release had known security holes on release day!).

Package Version Control

Posted Apr 16, 2005 0:51 UTC (Sat) by miallen (guest, #10195) [Link]

Couldn't version control be applied in such a way that fixing a bug in 4 can be automatically applied to 3, 2, etc?

No. You need to build new binary packages for all configurations and test them.

I didn't mean to suggest using a VCS for storing binaries. How many distros actually modify the source of cURL, zlib, python, etc? Sure some things like Samba, bind, and apache are tweeked to integrate with the distro's management tools but there are many packages that are just installed by default without any modification. Upgrading these packages is simply a matter of applying a patch, setting the config flags, and rebuilding the package with appropriate dependencies. It's amazing to me that whenever there's a bug in zlib that each distro has to patch it independantly.