With the release of Fedora Core (FC) 6 Test 2, the
Fedora project has stopped
supporting FC4 and passed the baton to the
Fedora Legacy project. This
is as expected, but another
announcement may come as
a bit of a surprise. Fedora Legacy has dropped support for FC1 and FC2
and will be dropping support for Red Hat (RH) 7.3 and RH9 at the end of
The Fedora Legacy project was established to backport critical security
fixes to FC releases that had reached end of life so that admins
did not have to upgrade on the fairly short time scales (roughly one
year) that Fedora would support those releases. When the project
was established, it was also providing security updates for various RH
releases. After 31 December, the last two RH releases will drop off the
list and Fedora Legacy will just be supporting FC3 and FC4.
That change potentially leaves many systems without a way to get security
patches and will require admins to either upgrade or backport fixes on their
own. It would appear that this situation is actually nothing new;
the Fedora Legacy project has been slow to patch security issues with all
of the releases they have supported. For example, the most recent RH7.3
from 6 June and there have been several recent security
issues that are presumably unpatched.
It is not just the older releases that are impacted by this, FC3 has
kernel version 2.6.12 in the legacy updates, but there have been quite
a few 2.6 kernel releases, some of them for security problems, that are
not available for FC3. The recent Apache web server
vulnerability is another
that remains unpatched for any of the legacy releases.
Where does this leave users of FC4? Given the track record, it is hard
to believe that Fedora Legacy will be quickly patching security issues
as they arise in that distribution. Upgrading to FC5 would seem the
best option for admins who do not want to maintain patches for themselves.
Of course, FC5 will be moving to Legacy support in roughly six months.
Fedora Legacy is a great idea, but appears to suffer from a lack of
participation from the community. Without timely updates for critical
bugs, the entire FC distribution series would seem to be at risk. Yearly
upgrades of systems, particularly servers, is just not possible for many
admins. This could easily turn into the Achilles' heel for Fedora Core.
to post comments)