LWN: Comments on "Whither Fedora Legacy?"

Gentoo

mbp — Thu, 27 Jan 2005 21:45:21 +0000

Does Gentoo have a stable release, to which they backport fixes? If not, all they're doing is upgrading packages when a new release comes out, which seems to fit in your category of "fun" not "work".

All I can find is http://www.gentoo.org/proj/en/glep/glep-0019.html which is at a pretty sketchy state.

Whither Fedora Legacy?

sbergman27 — Fri, 21 Jan 2005 00:42:42 +0000

If supporting 7.3 is a burden, I would suggest dropping support for it. It's 5 releases old and has been supported for coming up on 3 years already. It clearly does not fall within fedora-legacy's 1-2-3 out policy.

One other possibility that comes to mind is RedHat doing like they are doing with Fedora Extras and providing hardware and an infrustructure and letting the community do the actual work. That way, fedora-legacy would not have to worry about things like getting their build server back into production, and could concentrate their finite resources on getting out timely updates in a predictable fashion.

Fix by version upgrade

giraffedata — Fri, 21 Jan 2005 00:02:44 +0000

Plus, the new version may have bugs, including security ones.

Version upgrades of major pieces of my system, such as the kernel, are too destabilizing for me, so when I need a security fix, I try to find just the security fix and apply it myself. But I've had a rather hard time finding them, particularly for the Linux kernel. There are copious web sites reporting security flaws and pointing you to a version upgrade that fixes it, but they don't usually have the actual fix.

If anyone knows where one can find individual kernel security fixes, please post.

Debian Security Policy

djpig — Thu, 20 Jan 2005 16:21:02 +0000

Some comments on that:

1) slink was the release before potato, not before woody. potato was supported for one year after woody release. IIRC, the security team asked some months before that for comments and only little objections were rised
(although one of the objections was concerning a pool of a few thousand
machines, again IIRC). A search in the archives of debian-devel-announce
and/or debian-devel should probably suffice to prove me wrong or right.

2) the intended policy for the next releases can be found in the security
faq: http://www.debian.org/security/faq#lifespan

Whither Fedora Legacy?

garloff — Thu, 20 Jan 2005 14:57:09 +0000

Fixing a security problem by just updating to a newer version often is
the easiest and quickest that a distributor can do.
And some users will appreciate to get version updates this way.

However, there are serious downsides:
* The newer version may behave differently in subtle or less subtle
ways.
* If the package contains libraries ... that other packages depend on,
updating to newer versions may introduce breakage at various hard-to
determine places.

This means that these version updates will worsen the quality and
consistency of the distribution over time. But then, a year of security
updates is not much anyways.
If you plan to keep a distro running for a while, you may well want to
chose a distro that does avoid version updates as security patches.

Whither Fedora Legacy?

smoogen — Thu, 20 Jan 2005 14:16:57 +0000

One of the things at least for Debian 'Legacy' is that they are only supporting 'stable' and not 3 back releases. When Woody became stable, Debian Security released a statement saying that in 6 months, they would no longer offer updates for slink. There was a lot of people saying that was horrible and they would switch to something more commercial.. however Debian stuck to it because as they said.. they dont have rhe resources to do so. I think Debian security has said the same thing when Sarge comes out. Woody security will occur for 6 months and then thats it.

I do not know how far back Gentoo goes.. however, as they have a build from source and a portage system.. they can rely on the customers to do all the system builds for them.

To be honest.. I think Fedora Legacy is going to need some major recruiting of home hackers. It seems to have originally tried to get a lot of consulting firms to do this as it was their bacon in the fire, but very few of the 20 or so I remember in the conversation actually dove in. I do not think that their business plans, time, or abilities could afford to try this. And as you say it is a thankless job that gets mostly complaints. It is why companies charge a premium for 'legacy updates' for like old VMS and such.

The only solution I can see is that you need to recruit some home hackers and make sure that they get Free Beer/Pepsi/Whateveryouwanttodrinkmate day at every Con you can think of :).

Whither Fedora Legacy?

mattdm — Thu, 20 Jan 2005 03:55:38 +0000

Talking about this is on the agenda for FUDCon1. Hopefully some good will come out of that.