lwn article on the death of Fedora Legacy
http://lwn.net/Articles/204722/ This is subscriber-only content for two weeks, but the gist is: there's a whole lotta unpatched vulnerabilities in FC4. Can we really pretend this is an ongoing concern? I know that personally I haven't been able to contribute the amount of time I'd like to make this succeed. But I have a full-time job and a young child, and am mildly active in umpteen other projects. Legacy support is hard work, and really needs two or three full-time workers to be a success. It's tempting to blame the lack of volunteers, but this sort of project works best if there's a solid base. When Jesse Keating worked at Pogo, that was largely true, but with his duties at RH and with his new kid, it doesn't seem to be the case anymore. I'm sure this is not Jesse's fault -- there needs to be commitment from above, and that's clearly not the case. I think this is really unfortunate, because it makes a big gap in the Fedora ecosystem. This will be largely filled by migration to RHEL-rebuild distros like CentOS, which is well and good (and particularly painless from the end-user point of few) but bad for Fedora. Without a functioning lifespan of over a year, Fedora is only practically useful as an enthusiast, bleeding-edge distro. That's only supposed to be _part_ of its mission. -- Matthew Miller [EMAIL PROTECTED] http://mattdm.org/ Boston University Linux -- http://linux.bu.edu/ -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: lwn article on the death of Fedora Legacy
On Thursday 19 October 2006 11:44, Matthew Miller wrote: When Jesse Keating worked at Pogo, that was largely true, but with his duties at RH and with his new kid, it doesn't seem to be the case anymore. I'm sure this is not Jesse's fault -- there needs to be commitment from above, and that's clearly not the case. I think this is really unfortunate, because it makes a big gap in the Fedora ecosystem. This will be largely filled by migration to RHEL-rebuild distros like CentOS, which is well and good (and particularly painless from the end-user point of few) but bad for Fedora. Without a functioning lifespan of over a year, Fedora is only practically useful as an enthusiast, bleeding-edge distro. That's only supposed to be _part_ of its mission. Here is what I think can happen. A) Kill off RHL now. Stop trying to do stuff there when we just don't have the man power or the volunteers. B) Move to using Extras infrastructure for building packages. They're ready for us for FC3 and FC4. C) Move to Core style updates process. Spin a possible update, toss it in -testing. If nobody says boo after a period of time, release the darn thing. If somebody finds it to be broken, fix it and resubmit. Somewhere in there convince Luke Macken to do the work to get a Fedora Update tool available for use externally that does the boring stuff like generate the email with the checksums and with the subpackage list and all that boring stuff. It could even handle moving the bug to 'MODIFIED' when it goes in updates-testing, and finally to CLOSED when it goes to release. Then it would be easier to get people to contribute, as they'd just be doing things like checking out a package module, copying a patch from somewhere, commit, build. That would help a lot. Somebody more senior in the project would fiddle with the tool to prepare the update, and do the sign+push. I honestly think that doing these things is the only way that Legacy will survive. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) pgp6BazXvdPlf.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: lwn article on the death of Fedora Legacy
On Thu, 19 Oct 2006, Matthew Miller wrote: A) Kill off RHL now. Stop trying to do stuff there when we just don't have the man power or the volunteers. B) Move to using Extras infrastructure for building packages. They're ready for us for FC3 and FC4. So RHL has been the hold-up there? ... That is an incorrect conclusion. FWIW, Marc was the most active contributor, only interested in FC1, but willing to do the work for other versions as well. Up until some time ago, I was willing to help but my interest was only the RHLs but was willing ot do PUBLISH/VERIFY for other versions in order to get RHL updates. There were a couple of other people who did some VERIFYs and proposed a couple of packages. That's it. A better phrasing could maybe be that RHL/old distros was what kept FL going, because those had significant deployment base before people realized that trying to use Fedora and expect long maintenance wasn't a good idea (and hence folks moved to CentOS). You could say that there is some problem with the process if e.g., sendmail MIME vulnerability updates (which are declared ready) haven't been published during the 1.5 months they've been ready [1]. I guess the issue is that no one with privileges to send the notification or move stuff from updates-testing to updates has been around during that time. As a result, there are very few people left who care enough about FC3/FC4 updates. There just aren't enough people to do the job, and the machinery to do the job has been way too heavyweight for a long time. I guess one could still move the FC3/FC4 stuff to extras (instead of just declaring the project dead) but I doubt the number of contributors is going to rise dramatically as a result even if extras were used. Some administrative overhead would be reduced but you'd someone would still be needed to do the work. [1] http://netcore.fi/pekkas/buglist.html https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=195418 -- Pekka Savola You each name yourselves king, yet the Netcore Oykingdom bleeds. Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: lwn article on the death of Fedora Legacy
On Thu, Oct 19, 2006 at 08:57:31PM +0300, Pekka Savola wrote: On Thu, 19 Oct 2006, Matthew Miller wrote: A) Kill off RHL now. Stop trying to do stuff there when we just don't have the man power or the volunteers. B) Move to using Extras infrastructure for building packages. They're ready for us for FC3 and FC4. So RHL has been the hold-up there? ... That is an incorrect conclusion. You're misunderstanding me; I meant RHL has been the hold-up for switching to the Extras build infrastructure. time. I guess one could still move the FC3/FC4 stuff to extras (instead of just declaring the project dead) but I doubt the number of contributors is going to rise dramatically as a result even if extras were used. Some administrative overhead would be reduced but you'd someone would still be needed to do the work. Agreed. -- Matthew Miller [EMAIL PROTECTED] http://mattdm.org/ Boston University Linux -- http://linux.bu.edu/ -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: lwn article on the death of Fedora Legacy
On Thursday 19 October 2006 13:57, Pekka Savola wrote: As a result, there are very few people left who care enough about FC3/FC4 updates. There just aren't enough people to do the job, and the machinery to do the job has been way too heavyweight for a long time. I guess one could still move the FC3/FC4 stuff to extras (instead of just declaring the project dead) but I doubt the number of contributors is going to rise dramatically as a result even if extras were used. Some administrative overhead would be reduced but you'd someone would still be needed to do the work. A good chunk of my proposal is removing administrative overhead. Its overhead now because we have to manually assemble the email, do write out the content, checksome the packages, push them around etc.. Its VERY cumbersome, and requires a lot of permissions I'm not happy about giving folks. Moving it to Extras and tying into existing scripts or slightly new scripts to do most the work would lighten the load SIGNIFICANTLY. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) pgpLOdtRkh4xv.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: lwn article on the death of Fedora Legacy
On 10/19/06, Jesse Keating [EMAIL PROTECTED] wrote: On Thursday 19 October 2006 11:44, Matthew Miller wrote: When Jesse Keating worked at Pogo, that was largely true, but with his duties at RH and with his new kid, it doesn't seem to be the case anymore. I'm sure this is not Jesse's fault -- there needs to be commitment from above, and that's clearly not the case. I think this is really unfortunate, because it makes a big gap in the Fedora ecosystem. This will be largely filled by migration to RHEL-rebuild distros like CentOS, which is well and good (and particularly painless from the end-user point of few) but bad for Fedora. Without a functioning lifespan of over a year, Fedora is only practically useful as an enthusiast, bleeding-edge distro. That's only supposed to be _part_ of its mission. Here is what I think can happen. A) Kill off RHL now. Stop trying to do stuff there when we just don't have the man power or the volunteers. B) Move to using Extras infrastructure for building packages. They're ready for us for FC3 and FC4. C) Move to Core style updates process. Spin a possible update, toss it in -testing. If nobody says boo after a period of time, release the darn thing. If somebody finds it to be broken, fix it and resubmit. D) Move to Core style plan. Figure out what core packages we are going to backport for, and what packages we are just going to push the latest stuff for. Mozilla - Seamonkey Gaim - Gaim latest etc. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Any support news on FC4?
Hi, It looks that there have been no new security updates for FC3/FC4 for about three months. Anyone know when the new updates will be available? After FC6 released, or some other times? Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: lwn article on the death of Fedora Legacy
On Thu, Oct 19, 2006 at 05:07:30PM -0600, Stephen John Smoogen wrote: D) Move to Core style plan. Figure out what core packages we are going to backport for, and what packages we are just going to push the latest stuff for. Mozilla - Seamonkey Gaim - Gaim latest Yeah. And also, if at all possible, E) See if any Fedora Core engineers are interested in, out of the goodness of their hearts, building updates for their packages in Legacy when it isn't much extra work -- and enabling them to easily do so. -- Matthew Miller [EMAIL PROTECTED] http://mattdm.org/ Boston University Linux -- http://linux.bu.edu/ -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Any support news on FC4?
On Thu, Oct 19, 2006 at 05:04:18PM -0700, Robinson Tiemuqinke wrote: It looks that there have been no new security updates for FC3/FC4 for about three months. Anyone know when the new updates will be available? After FC6 released, or some other times? See other thread. -- Matthew Miller [EMAIL PROTECTED] http://mattdm.org/ Boston University Linux -- http://linux.bu.edu/ -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list