By the time you read this, the long-awaited, slightly-delayed Fedora
Core 6 release may be available. Then again, maybe not
. But it should be out sometime
soon, really. This distribution, once it is released, will come with
excellent security support from the Fedora Project - for ten months or so.
Once the second Fedora Core 8 test release is available, this shiny
new Fedora Core 6 distribution will be cut off and handed over to the
Fedora Legacy project
A look at the Fedora
Legacy wiki page yields this text:
We are currently maintaining Red Hat Linux 7.3 and 9 as well as
Fedora Core 3 and 4 as these have been transferred into maintenance
mode from Fedora Core. We will provide updates for these releases
for as long as there is community interest though we in general
follow the 1-2-3 and out policy. This provides an effective
supported lifetime (Fedora Core plus Fedora Legacy Support) of
approximately 1.5 years or even more.
The project has helpfully provided some yum configurations to make
getting the updates as easy as possible. The promised "effective supported
lifetime" should be a great comfort for users who do not want to upgrade
their systems every six months or so.
There's only one little problem: Fedora Legacy has yet to provide a single
update for Fedora Core 4, which was transferred to the project in
July. In fact, Fedora Legacy has not provided any updates, for any
of the distributions it claims to support, since
July - an outage of almost three months. During this period,
vulnerabilities have been reported in a small number of packages:
firefox (3 sets),
thunderbird (3 sets),
The above list is just a subset of the actual reported vulnerabilities.
But the point should be clear: any useful Fedora Core 4 system will
be running a fair number of the above packages - and they all contain known
security problems. It would be nice to close those holes, but no FC4
updates are available. Any system administrator who still believed that
Fedora Legacy would help to keep older Fedora Core systems secure should,
by now, be having second thoughts.
Fedora Legacy was created with the idea that the user community would help
to produce updates for packages affected by security problems. The
community has clearly failed to step up to that task. It would appear that
Fedora users - at least, those who could help with security updates -
are so interested in staying on the leading edge that they upgrade long
before any Fedora release loses support. Other users who care will have
moved on to other distributions - paid or free - which offer security
support for a longer period of time.
Fedora Core 1 was released almost exactly three years ago, meaning that we
have about three years of experience with Fedora Legacy. Perhaps the time
has come to ask the question: is there any point in continuing to pretend
that Fedora Legacy is a viable, successful project? Perhaps the Fedora
Project should consider ending Fedora Legacy before its web pages convince
anybody else that they can safely defer upgrading unsupported systems. The
Fedora Project makes no apologies for its support policy, and there is no
reason why it should. But there is also no reason to maintain the illusion
of an option for longer-term support which does not actually exist.
to post comments)