Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Mon, Nov 06, 2006 at 08:21:26AM -0600, Rex Dieter wrote: David Eisenstein wrote: Fedora Board, please take heed. Although providing a stable, long-term operating system/environment is *not* one of Fedora Project's stated goals, the practical lifetime of a Fedora release of 1 year (without Legacy to be there to security-maintain them for (at least) 1 more year) is ... ridiculous -- except for the Linux enthusiast and those who love sliding down the razor-blade of computing. The Fedora Legacy build team seems to be down now to 1 or 2 builders who can push packages to Legacy's updates-testing and updates. OK, I'll bite. What do you want exactly from the Board? Wave our magic Fedora wand to produce more (active) community contributors? OK, lemme see, now where did I leave that darn thing... :) I don't know if the board has power over suggesting to Fedora's sponsor, Red Hat, to resuffle its engineering resources, but if so, then it's a simple equation: If FL is indeed going to get more resources to prolong a Fedora release's lifespan then these resources need to be drained from somewhere. This can't be rawhide and the latest release, but maybe the previous release (like in this timeframe FC5). And it can't be Rex' magic hat either, I think it only produces rabbits and not yet FL contributors. ;) There are a couple of non-security/non-bugfixes updates happening in FC5 right now, that maybe could had been cast into FL4 support. And in the context of sparing resources FL would have to narrow the support matrix to only one FL release. E.g. better to have good support for one release than only half for two. That drops half a year of support, but gains more trust back to FL if security issues within a release can be addressed for that other half year in a timely fashion. -- Axel.Thimm at ATrpms.net pgpVbq54kOKDm.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Mon, Nov 06, 2006 at 08:21:26AM -0600, Rex Dieter wrote: OK, I'll bite. What do you want exactly from the Board? Wave our magic Fedora wand to produce more (active) community contributors? OK, lemme see, now where did I leave that darn thing... I see 2 things that could help: * use the fedora extras build system and procedures. I find legacy procedures very complicated. The legacy procedures have merit, there are more verifications, but maybe such procedures should be used in the future when there is a community. * open fedora core to the community. That way people from the community interested in a package could help maintaining it in core and it would help a lot when it transitions to legacy. Currently core is closed to the community and core maintainers often don't collaborate with the community for packaging issues. In the current situation somebody interested in a package in legacy have to learn everything about that package, knowing that he has no control on the package in current and devel release. Co-maintainership in core with community members would help a lot having somebody still taking care of the package in legacy. -- Pat -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
Axel Thimm wrote: I don't know if the board has power over suggesting to Fedora's sponsor, Red Hat, to resuffle its engineering resources, but if so, then it's a simple equation: If FL is indeed going to get more resources to prolong a Fedora release's lifespan then these resources need to be drained from somewhere. This can't be rawhide and the latest release, but maybe the previous release (like in this timeframe FC5). And it can't be Rex' magic hat either, I think it only produces rabbits and not yet FL contributors. ;) Board can make suggestions, yes. Dictate, no. The board doesnt have the resources in hand to allocate to sub projects. It can set policies and thats the primary work that's being done. If it comes to resources, reshuffling wont work since there is noone working on the previous release that is not working on the current release of Fedora and rawhide too. Its all part of the common pool. If we pull people out of that, we would effectively reducing the amount of movement forward. It would be possible to recommend that Red Hat hire *new people* to work solely on legacy but justifying that is harder compared to active upstream or new release development. Unifying and opening up more of the infrastructure and other ideas like that only doing critical security fixes are things to look at. Rahul -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Fedora Legacy Test Update Notification: gzip
On Mon, 6 Nov 2006, David Eisenstein wrote: Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash. (CVE-2006-4334, CVE-2006-4338) Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code. (CVE-2006-4335, CVE-2006-4336, CVE-2006-4337) Those interested in RHL73 may take a look at http://staff.csc.fi/psavola/fl/. It includes RPMs which fix this for RHL73, as well as a a couple of other RPMs fixing the most significant latest issues (e.g., the recently published PHP issue). -- Pekka Savola You each name yourselves king, yet the Netcore Oykingdom bleeds. Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Tue, Nov 07, 2006 at 11:46:37PM +0530, Rahul Sundaram wrote: Unifying and opening up more of the infrastructure and other ideas like that only doing critical security fixes are things to look at. But FL's charter is already to only cater about security fixes, or do you imply to categorize them and allow some to slip? E.g. allow local priviledge escalation, but fix remote exploits? I don't think that's a good FL manifesto. Allowing non-critical security issues to exist will only harm the project's front to the public more. The issue is also not the infrstructure IMO, it's simply lack of human resources and either someone needs to assign them to it if that entity (Red Hat/board/whatever) considers that a worthy goal, or the resources need to come from more voluntary people, e.g. FL needs a marketing manager. Or the need for resources is cut by reducing the number and time span of supported releases. -- Axel.Thimm at ATrpms.net pgpIWeDderKt5.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
Quoting Axel Thimm [EMAIL PROTECTED]: The issue is also not the infrstructure IMO, it's simply lack of human resources and either someone needs to assign them to it if that entity (Red Hat/board/whatever) considers that a worthy goal, or the resources need to come from more voluntary people, e.g. FL needs a marketing manager. I think it is both Infrastructure and lack of humans, plus stupid barriers that shouldn't exist. The learning curve is high, people look down at volunteers just because they don't/won't/can't use some technology (e.g. IRC), and there is little effort expended to get people to participate (though much flaming people for not participating). There is also an emphasis on getting people to only help with QA, which is rather bad. If you can get people to start helping however they feel they can, they will generally and eventually start helping in other areas. But people generally need encouragement, and not flame wars, insults, and barriers. Or the need for resources is cut by reducing the number and time span of supported releases. An option, but it only makes the limited resources go further, when what we really need are more resources... -- Axel.Thimm at ATrpms.net -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Tue, Nov 07, 2006 at 04:54:34PM -0500, Jesse Keating wrote: On Tuesday 07 November 2006 16:47, Axel Thimm wrote: The issue is also not the infrstructure IMO, it's simply lack of human resources Well, if the barrier to contribute was lower, getting more people would be easier. If it were say as easy as using the Extras build system so that any current Extras contributor could easily become a Legacy contributor as well... This is what I'm working towards. It's certainly worth while attacking this way, but I think it will not be enough. Let's hope I'm wrong. -- Axel.Thimm at ATrpms.net pgpcVFDQZoUHJ.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
Axel Thimm wrote: On Tue, Nov 07, 2006 at 11:46:37PM +0530, Rahul Sundaram wrote: Unifying and opening up more of the infrastructure and other ideas like that only doing critical security fixes are things to look at. But FL's charter is already to only cater about security fixes, or do you imply to categorize them and allow some to slip? E.g. allow local priviledge escalation, but fix remote exploits? I don't think that's a good FL manifesto. Allowing non-critical security issues to exist will only harm the project's front to the public more. Not really. It is better than not pushing updates at all. See https://www.redhat.com/archives/fedora-security-list/2006-October/msg6.html The issue is also not the infrstructure IMO, it's simply lack of human resources and either someone needs to assign them to it if that entity (Red Hat/board/whatever) considers that a worthy goal, or the resources need to come from more voluntary people, e.g. FL needs a marketing manager. Lack of human resources is also a result of higher barrier to entry. New people need to be able to contribute easily. Existing contributors in other sub projects like extras need to able to do that. Unifying infrastructure and automating more of the tasks helps in both ways. Or the need for resources is cut by reducing the number and time span of supported releases Just as reducing time span is a option, classification of vulnerabilities and working on critical ones after a time span is also a option that needs to be considered. Rahul -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
Eric Rostetter wrote: Quoting Axel Thimm [EMAIL PROTECTED]: The issue is also not the infrstructure IMO, it's simply lack of human resources and either someone needs to assign them to it if that entity (Red Hat/board/whatever) considers that a worthy goal, or the resources need to come from more voluntary people, e.g. FL needs a marketing manager. I think it is both Infrastructure and lack of humans, plus stupid barriers that shouldn't exist. Agreed... getting people to participate is one thing, but the effort to contribute is a bit high at the moment, considering that most folks are making this part of their spare time... It's also about organizational leadership, which to be honest, I do find lacking... there is no specific plan, no accountability/responsibility, no visible means to release into testing and production. To be honest, Legacy is pretty much borken as an organization at the people level. Folks want/need to know what to do, who does what, and how things work. This may be an implied thing at the moment, but speaking from somebody looking in from the outside, I have to ask why bother? 1) Packagers - this is important obviously 2) Testers - packagers should not be testers, but testers should be defined 3) Releaser Management - once QA is done, somebody needs to release the package to the production tree... The three roles are very different, and these need to be filled by different people, i.e. no overlap in responsibility... The learning curve is high, people look down at volunteers just because they don't/won't/can't use some technology (e.g. IRC), and there is little effort expended to get people to participate (though much flaming people for not participating). The bar is pretty high to get in, and this is intimidating for those who lack experience with items outside of the course of their normal usage. Not to say that folks could not rise up to the challenge, it's just that the path is poorly documented, and the tools are, to be honest, a bit tough to use. Again, it comes down to who and how... There is also an emphasis on getting people to only help with QA, which is rather bad. If you can get people to start helping however they feel they can, they will generally and eventually start helping in other areas. But people generally need encouragement, and not flame wars, insults, and barriers. Bingo... thing is that QA is the end of the line, and the one most needed and least respected by the folks that build packages. One thing that is very important, as the base of folks that would be potential QA candidates is to: 1) spell out what is needed - what is the problem and fix, how to test it? 2) how to use the systems - how to mark tested, reopen, open new bugs For the packagers... how to package for a release. I maintain my own boxen, so when a security issue pops up, I download source or make the fix locally. How to build a package and release it into testing remains somewhat of a mystery... I'd be happy to do so, if it were documented somehow. Or the need for resources is cut by reducing the number and time span of supported releases. An option, but it only makes the limited resources go further, when what we really need are more resources... More resources is not the answer - better management of the resources that are on board, and better tools to manage the process is what is needed. The process itself needs to be defined and clarified. Tim -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Some supporting ideas regarding fedora legacy project when FC6 is out today
Robinson Tiemuqinke wrote: Hi, Glad that FC6 is out today for download/playing. But FC5 and FC6 are released too closely -- only three months apart. while FC4 had released over one year before FC5 appeared. Consequently, a lot of people and small organizations, as far as I know, have installed bunches of "free" FC4 boxes instead of FC5. Thereafter, they will directly go to FC6 instead of FC4-FC5-FC6, taking into the consideration of that each upgrade from one release to another one is not a tedious work. Personally... rather than the RedHat stair step approach to releases, i.e. FCx, FCy, FCz... I would rather see a gentle slope... The stair step approach, it was good when RH was selling RH Linux, but this is not the best approach for a freely available version of RH. We are not buying new packages every release of RH. Rawhide, as I see it, is always in motion, on the cutting edge of Linux, at least in the RH world. It's the development tip so to speak... I could be wrong on this. What Fedora should be is the stable edge of rawhide, with some QA... snapshots would be the core releases. In an ideal world, loading up FCx, and doing a yum update should take me all the way to the current_stable FCz release of fedora. In other words, clean in-line updates, no matter which ISO snapshot I download/install... then Legacy isn't really a problem. Note to RedHat and the Fedora Board - as Users, We are your Community to Develop... make the best use of the resource you have. Thx, Tim -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list