Weekly Edition
Return to the Front page
| |||||||||||||
An empty legacy
By the time you read this, the long-awaited, slightly-delayed Fedora
Core 6 release may be available. Then again, maybe not. But it should be out sometime
soon, really. This distribution, once it is released, will come with
excellent security support from the Fedora Project - for ten months or so.
Once the second Fedora Core 8 test release is available, this shiny
new Fedora Core 6 distribution will be cut off and handed over to the
Fedora Legacy project.
A look at the Fedora Legacy wiki page yields this text:
We are currently maintaining Red Hat Linux 7.3 and 9 as well as
Fedora Core 3 and 4 as these have been transferred into maintenance
mode from Fedora Core. We will provide updates for these releases
for as long as there is community interest though we in general
follow the 1-2-3 and out policy. This provides an effective
supported lifetime (Fedora Core plus Fedora Legacy Support) of
approximately 1.5 years or even more.
The project has helpfully provided some yum configurations to make getting the updates as easy as possible. The promised "effective supported lifetime" should be a great comfort for users who do not want to upgrade their systems every six months or so. There's only one little problem: Fedora Legacy has yet to provide a single update for Fedora Core 4, which was transferred to the project in July. In fact, Fedora Legacy has not provided any updates, for any of the distributions it claims to support, since July - an outage of almost three months. During this period, vulnerabilities have been reported in a small number of packages:
alsaplayer, apache (2), bind, binutils (2), clamav, firefox (3 sets), freetype gdb (2), gcc, gnupg (2), gnutls, gzip, imagemagick (3), kdebase (2), kernel (4), krb5, lesstif, libtiff, mailman, mysql (3), ntp, openldap, openoffice.org, openssh (2), openssl (2), perl, php (5), ppp, python, ruby, sendmail (2), squirrelmail, streamripper, sudo, thunderbird (3 sets), wireshark (2), xinit, xpdf, x.org (2) The above list is just a subset of the actual reported vulnerabilities. But the point should be clear: any useful Fedora Core 4 system will be running a fair number of the above packages - and they all contain known security problems. It would be nice to close those holes, but no FC4 updates are available. Any system administrator who still believed that Fedora Legacy would help to keep older Fedora Core systems secure should, by now, be having second thoughts. Fedora Legacy was created with the idea that the user community would help to produce updates for packages affected by security problems. The community has clearly failed to step up to that task. It would appear that Fedora users - at least, those who could help with security updates - are so interested in staying on the leading edge that they upgrade long before any Fedora release loses support. Other users who care will have moved on to other distributions - paid or free - which offer security support for a longer period of time. Fedora Core 1 was released almost exactly three years ago, meaning that we have about three years of experience with Fedora Legacy. Perhaps the time has come to ask the question: is there any point in continuing to pretend that Fedora Legacy is a viable, successful project? Perhaps the Fedora Project should consider ending Fedora Legacy before its web pages convince anybody else that they can safely defer upgrading unsupported systems. The Fedora Project makes no apologies for its support policy, and there is no reason why it should. But there is also no reason to maintain the illusion of an option for longer-term support which does not actually exist. (Log in to post comments)
An empty legacy Posted Oct 19, 2006 4:04 UTC (Thu) by bojan (subscriber, #14302) [Link] > Any system administrator who still believed that Fedora Legacy would help to keep older Fedora Core systems secure should, by now, be having second thoughts.
I would think most people either:
- upgraded to a supported Fedora version
An empty legacy Posted Oct 19, 2006 4:23 UTC (Thu) by sbergman27 (guest, #10767) [Link] >I would think most people either:> >- upgraded to a supported Fedora version >- switched to CentOS 3/4
Yes. But there is a pretty huge gap between upgrading to the latest Fedora Core grab bag and committing to a distro that only releases every 1.5 - 2 years.
CentOS4 is a great option... and is showing its age.
Does it all have to be extremes? Couldn't we who prefer the RedHat style be allowed some sort of middle ground? Something with an expiration date beyond that of the milk in our regrigerators, but more ephemeral than the rock of Gibraltar?
FedentOS, maybe?
Or does that sound too much like chewing gum for denture wearers?
An empty legacy Posted Oct 19, 2006 4:28 UTC (Thu) by bojan (subscriber, #14302) [Link] > CentOS4 is a great option... and is showing its age.
Yeah, true. Hopefully, RHEL 5 and therefore CentOS 5 are just around the corner... :-)
An empty legacy Posted Oct 20, 2006 9:30 UTC (Fri) by ronaldcole (guest, #1462) [Link] Isn't RHEL 5 targeted for release in December? Sounds to me like two months to shake out the bugs in RHEL 5 beta, a.k.a. Fedora Core 6.
An empty legacy Posted Oct 22, 2006 10:00 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]
RHEL 5 has its own beta cycle. Fedora Core releases are not a beta of anything
An empty legacy Posted Oct 19, 2006 11:44 UTC (Thu) by nim-nim (subscriber, #34454) [Link] > Does it all have to be extremes? Couldn't we who prefer the RedHat style be> allowed some sort of middle ground? Something with an expiration date beyond > that of the milk in our regrigerators, but more ephemeral than the rock of > Gibraltar?
It doesn't *have* to. All you need is to find enough interested people to revive Fedora Legacy (which has access to the Fedora build and distribution infrastructure, among other things)
An empty legacy Posted Oct 19, 2006 20:18 UTC (Thu) by smoogen (subscriber, #97) [Link] The issue comes down to time and compensation. Do I have enough available free time that I can spend on supporting a legacy software? Does the compensation of good feeling make up for the loss of compensation that I might get elsewhere? [swimming, drinking, dancing, playing with the kid, doing the laundry, etc]
In places where you are going to have to do backports of code, make sure you didn't break anything else, wait for qa, etc... that is a lot of commitment of free-time. I spent 20 hours on just on package doing qa to make sure it didnt introduce problems). In most cases, people do this out of a greater calling ('I am helping the kids..') or for a monetary compensation.
The Centos developers do quite a bit of work daily on making sure that stuff is fed upstream/recompiled correctly/etc. They do it out of a calling and the fact that many of them have consulting businesses that depend on having a stable 'no-cost' distro. Some have other reasons, but all those reasons are compensation to the 10-40 hours a week they spend dealing with a 'recompiled OS'.
The Fedora Legacy does not seem to have this level of compensation and so it has languished. I can only mea-culpa.
An empty legacy Posted Oct 19, 2006 14:48 UTC (Thu) by kh (subscriber, #19413) [Link] I wonder how many have switched to Ubuntu. Even for my desktop systems, I don't want updates every 6 months - I did at one time but most software I care about has matured to the point that the (non security) upgrades don't seem so important anymore.
An empty legacy Posted Oct 19, 2006 18:03 UTC (Thu) by landley (guest, #6789) [Link] I know exactly one guy still using Fedora (and he's made noises aboutswitching but hates system administration so much he still hasn't really looked at the alternatives). Everyone else is using Ubuntu or occasionally Gentoo. Rob
An empty legacy Posted Oct 20, 2006 2:55 UTC (Fri) by skvidal (subscriber, #3094) [Link] If you listened only to comments in lwn then you'd think everyone uses gentoo or ubuntu. Though, it's funny. For the last 2 weeks there have been large articles about fedora on the front page and they've garnered a lot of conversation about fedora. And the fedora community is ever-growing. And the download numbers and rates seem to be perpetually growing, as well.
For a distribution that a lot of commenters on lwn seem to think that "everyone is switching away from" it sures seems like a lot of people are using it and more people are participating all the time.
hmm..
An empty legacy Posted Oct 20, 2006 4:53 UTC (Fri) by dberkholz (subscriber, #23346) [Link] Big difference between the readers of LWN and the Linux user community as a whole...
An empty legacy Posted Oct 20, 2006 9:44 UTC (Fri) by sbergman27 (guest, #10767) [Link] I dropped Fedora because of the cavalier attitude that distro began to take with its users. The eternal upgrade treadmill simply became too much of a problem. I moved most of my clients to CentOS. But for some, CentOS is not appropriate. Ubuntu is more or less perfect for them. I had to learn the "Debian Way" of doing things. And I had to get over my dislike of the Debian family of Linux OSes. But it's been worth it.
That should give you a hint as to just how badly Fedora, for all the statements from various Fedora officials that they are out to prove that they are not just RH's beta, has handled things. (If it looks like a duck, and quacks like a duck...)
If Fedora ever stopped treating FC+1-2 like a dead body they'd as soon be rid of, I would seriously consider moving some clients back to it.
An empty legacy Posted Oct 20, 2006 15:31 UTC (Fri) by TxtEdMacs (guest, #5983) [Link] Sorry downloads and actual, extended use are not closely coupled parameters.
Consider my case: I loaded Fedora Core 3 onto a laptop that previously contained a very broken version of Mandrak 9.1 Pro. I was astounded on the ease of installation and the effective updates. However, as the end of support approached I moved to a different machine that went through Debian Stable with mostly Testing and just a bit of Unstable for version 3.0. I was at my happiest and ignored Fedora my laptop. At the end of 2005 a distribution upgrade to Sarge 3.1 broke my system. I limped along until I did a distribution upgrade of a neglected Ubuntu 5.04 to 5.10 that was sitting on a second disc. Not too long afterward most of my bootups were into the Ubuntu. I kept Ubuntu current with security upgrades and did most of my work off this second disc.
This past Spring due to making a trip I did a quick upgrade of the laptop to Fedora Core 4 that was a disaster. I probably just used its minimal capabilities or I slapped on Ubuntu. I think it was the former, but I made some minimal use of the machine on the trip - just email and some internet browsing.
In the last few months I have downloaded and had a server running Fedora Core 4 then Fedora Core 5. However, let's review what I have actually running and in use at this time:
Desktop(s) Debian (unused) first disc waiting for new distribution, second disc: Ubuntu 5.10 most heavily used.
Laptop: Ubuntu Desktop 6.06, loaded in July very light use so far.
Server: Ubuntu Server 6.06, loaded late September has been running constantly, but mostly unattended.
Hence, while having downloaded recent versions of Fedora Core 4 and 5 I have found Ubuntu more appropriate to my needs. While I liked parts of Fedora other characteristics attracted me to stay with another distribution where longer term support for security fixes were of paramount importance.
Future plans? Debian gets replaced by 6.10, and the 5.10 goes to 6.06. Laptop will be used to test more risky software releases, e.g. Flash 9 and perhaps the minefield version of Firefox (a.k.a. upcoming version 3.0).
Therefore, I suggest you not read too much into downloads.
A Fedora User For the Long Haul Posted Oct 26, 2006 7:45 UTC (Thu) by Pc5Y9sbv (guest, #41328) [Link] I am still installing Fedora everywhere I go. I reluctantly switched to RedHat from Slackware a looong time ago (early to mid-90s) when I needed a version to run on a DEC Alpha and couldn't be bothered to simultaneously manage two different distributions on my Alpha versus my PC. Despite many frustrations with the way they try to make Linux behave like Windows, I've grown to appreciate the hard work they do too. And many of the faults actually lie in upstream sources, so I can only blame Fedora for including them...
I never believed in "upgrade" of Linux systems, but rather accepted a periodic reinstall while migrating my home directory data. However, with Fedora I recently discovered, during a business trip, my wife's laptop was running a very stale FC3 and I remotely upgraded it via yum FC3->FC4->FC5 to become fully up to date. (I did this so we could try using ekiga to chat internationally.)
It worked like a charm, right up until it ran out of disk space. However, even then I was able to recover it, clear some space, and finish the upgrade. Note to self: yum upgrade at one point has the old system, all the new downloaded packages, and potentially some of the new package files installed too, it would seem. Needs lots of disk space. I only had to manually search for some really old packages that were orphaned when yum fell over in the middle of a "delete and install" transaction. It is funny how they use the word transaction here...
So, I think it is reasonable to say a real "legacy" strategy for Fedora users is to wait until updates are tapped out in an old distribution, and then upgrade the system to the newer release+updates. By this time, the new release should have most of its bugs patched in the updates stream too. For people who really cannot take this risk of modernity, I agree they probably ought to be running a more conservative distribution like CentOS.
Ironically, the only real problem I've had recently was a bizarre heisenbug on a regular FC5 laptop (not one that had followed such a convoluted upgrade path). With the latest updates a few weeks ago, it began having oom-killer storms in the night correlated with the daily cron jobs. I could not resolve this, and eventually reinstalled from scratch. Problem disappeared. Searching the web gave few hints, and it seems people who encounter this have been using all different distributions and not just Fedora! Search hits are always to someone reporting the issue, getting no resolution, and solving it via frustrated reinstall.
A Fedora User For the Long Haul Posted Oct 26, 2006 21:40 UTC (Thu) by at2000 (guest, #20920) [Link] I sort of dislike this altitude of the RedHat camp. My oldest debian/ubuntu linux was installed around 6 years ago and has survived for 6 upgrades now (potato -> woody -> sarge -> hoary -> breezy -> dapper -> edgy). Other systems are also upgraded twice or so like this. To me, upgrades never fail, and more importantly, it has near zero downtime.
A Fedora User For the Long Haul Posted Oct 27, 2006 3:48 UTC (Fri) by Pc5Y9sbv (guest, #41328) [Link] Which attitude is that? I am saying the upgrade DID work, and would have had near zero downtime if I hadn't tried to do it to a system that was 98% full when I started.
This was a completely remote, network based upgrade by pointing yum at a mirror site, installing the new fedora-release package, running "yum upgrade", and then rebooting with the new kernel at the end. I did this via ssh... My extra grief was clearing some space and running "yum upgrade" again in the middle, following by a search through all packages sorted by install time to find a few orphans to delete.
My attitude about not trusting upgrades predates RedHat, and comes from my experience with Slackware, SLS, and older non-Linux environments...
Also, the problem with the oom-killer storms was reported also by Ubuntu and Debian users when I did a web search. It seems to be a very erratic bug, not tied to any particular distribution or kernel version.
Ubuntu is not free from troubles either Posted Oct 29, 2006 14:50 UTC (Sun) by dag- (subscriber, #30207) [Link] I am disappointed that some people, like you, feel the need to polarize the community. All distributions have problems with supporting seamless upgrades between releases. It may have worked in your case, but that doesn't mean that it works for everybody. (Just like if it breaks for one person it doesn't fail for all users).
The irony is that on slashdot the following article appeared:
Upgrading to Ubuntu Edgy Eft a "Nightmare"
So it's not an isolated problem with Fedora. Fact is that it is easy to do reinstallations to test a products consistency, but it is much harder to test upgrades and reiterate over the same upgrade (for all the different systems that exist). Once a system is upgraded (with all its problems) you loose the original system to debug and fix it.
An Enterprise Linux distribution is what you need if you want to be free of upgrade problems. Long support and non-disruptive changes is what 99.99% of the people need. Go with CentOS or Ubuntu LTS instead.
Stop polarizing the community and take a step back. Red Hat is improving Ubuntu indirectly, and vice versa. Killing diversity is killing the community.
Why I left FL Posted Oct 19, 2006 13:33 UTC (Thu) by tseaver (subscriber, #1544) [Link] I was helping QA packages for FL up until July, when they dropped support for the release I cared about (FC1). The ironic bit that they dropped the older relases (RH7.3, RH9, FC1, FC2) in order to free up resources to focus on the more recent FC releases; hovever, many (most?) of their active volunteers were participating precisely in order to extend the lifetime of the older ones.
I think the 6 month upgrade cycle is workable only for desktop users, who can and should be encouraged to backup and reinstall, rather than trying to keep the older version going.
Migration Posted Oct 19, 2006 14:26 UTC (Thu) by jreiser (subscriber, #11027) [Link] ... desktop users, who can and should be encouraged to backup and reinstall ...Except that there is much too little support, and almost no testing, for this migration strategy. Which hidden files in the $HOME directory (.gnome2, .nautilus, .mozilla, ...) should be carried over? Which should not? What about the /etc directory? The transition between gnome-desktop versions has been particularly rocky at times in the past. Some applications provide internal migration, but mostly these assume simultaneous access to both the old and the new, and the migration assistance is not available once the new has been established. If you or the program don't get it right the first time, then it often becomes a morass.
Targeted support? Posted Oct 19, 2006 23:53 UTC (Thu) by pjhacnau (subscriber, #4223) [Link] I would have thought the people running FL would have checked with the volunteers as to what they wanted before arbitarily cutting off the preferred versions :-(
Maybe, if FL is to survive/be resurrected/etc it could do something closer to Ubuntu's approach to long-term support; say get the people actually _doing_ the support to agree on specific versions to support. E.g "Forget FC2,3,4 - we support FC1 and FC6, and we drop FC1 for FC(X > 6) when enough people are happy with it.
Targeted support? Posted Oct 20, 2006 2:57 UTC (Fri) by skvidal (subscriber, #3094) [Link] Two items here:1. ubuntu has a team of paid people doing the LTS 2. So far we've not actually seen ubuntu do this. When they actually start maintaining a distro 2 and 3 years after its been released THEN we can start talking about it. However, seeing as they haven't had to do it yet it's all pure conjecture about what they may or may not be able to do.
Targeted support? Posted Oct 20, 2006 4:39 UTC (Fri) by pjhacnau (subscriber, #4223) [Link] I think use of the 'U' word distracted you from what I was suggesting :-)I wasn't suggesting "copy Ubuntu" - merely using the fact that they don't aim to LTS every release as a starting point for the idea.
Restating the idea without the 'U' word, it goes something like this:
1) If you rely mostly on volunteers, you piss them off at your peril.
I hate to say "I told you so"... Posted Oct 23, 2006 2:11 UTC (Mon) by Baylink (subscriber, #755) [Link] and luckily, my clients listen to me, and I don't have to.
Fedora isn't a commercial distribution.
Anyone treating it like it is gets his, I guess.
|
|||||||||||||