of the second Fedora
Core 4 test release heralded a somewhat less-publicized event: support
for Fedora Core 2 has been transferred to the Fedora Legacy Project
. This is only
the second time such a transition has occurred, so there are still a number
of interesting questions being raised about just how this transition is
supposed to work.
One such question is: what should be done about unresolved bugs in Fedora
Core 2? There are quite a few of those; about 600 for the kernel alone. Is the Fedora
Legacy group expected to take on all of those bugs? In most cases, the
answer is "no"; Fedora Legacy exists to provide ongoing security support,
and not random bug fixes. So most of those bugs could simply be closed.
As project member Matthew Miller noted,
however, that is not the case for all of them:
Um, because some of them are security bugs that they never got
around to fixing. That's kind of annoying (Fedora security process
definitely seems to be disturbingly low priority -- see the
perl-suid buffer overflow trivial root exploit, for example) but I
don't really care whose responsibility it ought to be, since there
are people who are depending on us to make available patches to
secure their systems.
(The mentioned Perl vulnerability has been
fixed by several distributors, including Red Hat, but not Fedora).
So somebody needs to go through all of the open bugs, figure out which ones
are security-related, and close all of the bugs which Fedora Legacy will
not even attempt to fix. Not a small job. As it turns out, there does not
appear to be consensus even on that approach, however.
Many of the bugs reported for Fedora Core 2 still exist in subsequent
Fedora releases. What really needs to be done with those bugs is to
redirect them to Fedora Core 3 and hope they get more attention
there. Other bugs may have security implications which have not yet become
evident. In any case, a wholesale closing of Fedora Core 2 bugs may
not be the right thing to do.
When LWN last looked at Fedora
Legacy (in January), the project appeared to have stalled. One might
well ask how the project will cope with a new distribution and a massive
pile of bugs when it has not been able to keep up with the responsibilities
it already had. The good news is that, in February, the Fedora Legacy
process got moving again, and the flow of updates has resumed. Fedora
Legacy is back in the business of providing support for older Fedora Core
releases - and Red Hat Linux 7.3 and 9 as well. One should note,
however, that no advisories
have come out, as of this writing, since March 24.
Fedora Legacy is a small, volunteer-driven project. It remains to
be seen whether it can take on another large distribution now - followed by Fedora
Core 3 sometime around September. At some point, something will have
to give. At the FUDCon meeting in February, Red Hat said
that it wanted to beef up the Fedora Project to gain back some of the
"early adopters" it had alienated. Perhaps providing longer-term, stable
support to the Fedora releases would be a good step in that direction.
to post comments)