Re: RHEL subset of which FC ?
On 1/16/07, P. Martinez [EMAIL PROTECTED] wrote: Hi, is it true when i say, FC3 == RHEL4 ? No its more like RHL-7.2 =~ RHEL-2.1 RHL-9=~ RHEL-3 FCL-3 =~ RHEL-4 If you are looking at one could attempt an upgrade from to then it would be that RHL-7.0, RHL-7.1, RHL-7.2 might be upgraded to RHEL-2.1 RHL-7.3, RHL-8, RHL-9 might be upgraded to RHEL-3 FCL-1, FCL-2, FCL-3 might be upgraded to RHEL-4 FCL-4, FCL-5, FCL-6 might be upgraded to RHEL-5 none of these are 'clean' upgrades, and can lead to crashed machines around 20% of the time due to things outside the scope of this email. The steps to follow it are the following: 0) Look up on google better how-tos than this :) 1) Backup current data to media that can be recovered from after an install (USB diskdrive works great) 2) Make a file listing of your RPM database like rpm -qa --qf='%{NAME} %{EPOCH}:%{VERSION}:%{RELEASE}\n' filename 3) Do an upgrade One needs to force the RHEL/Centos installer to do an upgrade of outside its 4) Look for files that were left over and why 5) Fix broken configs because versions have changed greatly. [my guess is that FCL-9 might be RHEL-6 :)] I compiled myself this dates: FC3 - 8 November 2004 RHEL4 - February 2005 FC4 - 13 June 2005 -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Fedora Legacy
On 1/12/07, Wilson Andrew [EMAIL PROTECTED] wrote: Hi, All. It is with some sadness I have noted that the fedora legacy project has significantly downscaled it's scope. Not least because it leaves me a job to do with my fedora servers (many of which are FC3)! That got me thinking... should I be lamenting lack of community interest in the project, and moving on; or should I be trying to help. At this point.. I think moving on is the status. The Fedora Legacy project pretty much closed doors, rolled up the sidewalk, and drove out of town in December 2006. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Legacy wiki -- statement?
On 12/13/06, Matthew Miller [EMAIL PROTECTED] wrote: On Wed, Dec 13, 2006 at 08:16:47AM -0600, Philip Molter wrote: On Tue, Dec 12, 2006 at 04:42:36PM -0600, Mike McCarty wrote: Now, let me get started on migrating those last servers running legacy versions of Fedora Core... Migrating them to what? That's my question. If you can't upgrade every year (or ideally, twice year), CentOS is the clear answer. If you make that kind of statement, you are effectively removing high-end server testing from Fedora Core. If FC is still supposed to be a testbed for the newer software, whether it's desktop or high-end server, then that sounds like the wrong thing to say. It is the *truthful* thing to say. I agree wholeheartedly with you, but without serious (financial and personnel) backing for Fedora Legacy, it *cannot happen*. And the resources should not be Red Hat's. Red Hat already plows enough money into Fedora.. this is where the community (if there is one) has to supply the labour to deal with the fields that are fallow. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: nails in coffins? Re: Openssl updates
On 11/30/06, Rex Dieter [EMAIL PROTECTED] wrote: Nils Breunese (Lemonbit) wrote: Unfortunately I will have to be migrating our last Fedora servers over to CentOS even sooner now... I take it, then, that extending Fedora's (supported) life-cycle to 13+ mos isn't sufficient for your needs? For my previous government jobs it took about 3 months to get an OS certified from the time it was gold to when it could be used. That leaves 10 months of usefulness of it, which I think will work well for the cluster people who needed the latest stuff as they will be really only using it for 6 months before the next upgrade. The finalized large cluster would go onto being Centos or RHEL as it would need to run the same code sets for 5 years. Depending on the department, a 10 month lifetime would also be ok for desktops. For servers, it is too short of a time as it usually takes about 2 months after the OS is ok to be used for the various services to be solid. However, it is what people get for living off the work of others (eg gratis) -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: RHEL3: Problem going from RH 2.4.20 to Linus 2.4.33
On 11/15/06, David Douthitt [EMAIL PROTECTED] wrote: I compiled a version of Linus' kernel 2.4.33 for CentOS 3 (RHEL 3) and found that several programs started failing with core dumps or lockups. You can not use 2.4.33 on Centos 3 or RHL 9 systems. The base kernel for RHL-9 and RHEL-3/Centos-3 have several incompatible sections backported from the 2.5.xx kernel series to give features that were wanted but not in the 2.4 kernel. Thus you can not have the most current 2.4.xx kernel. If you are wanting to do that you will be wanting a different OS than any of the 'Enterprise' systems. It seems to center on two different things: the clone() call, and some kind of file locking call that isn't supported (fuserlock?) The clone() call resulted in core dumps; the other resulted in programs receiving an unexpected not implemented result and entering an endless loop waiting for a positive result. Any tips? I'd like to keep the kernel current -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: lwn article on the death of Fedora Legacy
On 10/24/06, Mike McCarty [EMAIL PROTECTED] wrote: Stephen John Smoogen wrote: On 10/20/06, Matthew Miller [EMAIL PROTECTED] wrote: On Fri, Oct 20, 2006 at 09:36:15AM -0600, Stephen John Smoogen wrote: The problem is that we are just beat. Jesse has a kid, a release cycle, a new knee, and a lot of other stuff on his real job. The other people who have been doing stuff have also had 'stuff happen', and temporary schedule changes that have become permanent. Yes. In order to survive the project needs some real support from Red Hat. (Or some other large company who wants to do Red Hat a favor, but that seems even less likely.) Using the Chasm marketing model [*], without Legacy, Fedora is only a viable solution for Early Adopters and of dubious value to the second Pragmatist group. However, Fedora has been enough of a success that many Pragmatists are indeed using Fedora. I would argue that the pragmatists had been using it out of a trust model. They had used Red Hat Linux when it has crossed the chasm, and I don't believe that Linux in general has crossed the chasm yet. I think it's *all* still in the early adopters stage. But within the Linux community (oxymoron) FC is the early adopters of the early adopters. That would put you in the conservative column then. So far at the 3 10,000+ person companies I have worked at for the last 5 years, we have replaced 90% of our Solaris, AIX, mainframes etc with Linux. From what I have been helping with at other sites this has been the trend in the last 4 years. One site a friend works at just bought 5000 sun boxes. Although they each have a Solaris license, none of them will be using Solaris.. its just that the AMD hardware was considered better to run the clusters on. [snip] 2) I use Fedora to alpha/beta test for the next/current Red Hat Enterprise. How come when I state that FC is beta test, I get dog-piled, but you don't? Because I said I used Fedora as a beta test.. not that Fedora is a beta test. The two are not equal statements. Red Hat may not use it as such, but I as a consumer do. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: lwn article on the death of Fedora Legacy
On 10/20/06, Nils Breunese (Lemonbit) [EMAIL PROTECTED] wrote: Matthew Miller wrote: I know that personally I haven't been able to contribute the amount of time I'd like to make this succeed. But I have a full-time job and a young child, and am mildly active in umpteen other projects. Legacy support is hard work, and really needs two or three full-time workers to be a success. It's tempting to blame the lack of volunteers, but this sort of project works best if there's a solid base. The Fedora Infrastructure team recently sent out an announce mail to let people know they could use a couple of extra hands. Already a couple of people mailed that team and said they could help out. Maybe Fedora Legacy should send out such an email? I think we sent out one before the Infrastructure team did.. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: lwn article on the death of Fedora Legacy
On 10/20/06, Matthew Miller [EMAIL PROTECTED] wrote: On Fri, Oct 20, 2006 at 09:36:15AM -0600, Stephen John Smoogen wrote: The problem is that we are just beat. Jesse has a kid, a release cycle, a new knee, and a lot of other stuff on his real job. The other people who have been doing stuff have also had 'stuff happen', and temporary schedule changes that have become permanent. Yes. In order to survive the project needs some real support from Red Hat. (Or some other large company who wants to do Red Hat a favor, but that seems even less likely.) Using the Chasm marketing model [*], without Legacy, Fedora is only a viable solution for Early Adopters and of dubious value to the second Pragmatist group. However, Fedora has been enough of a success that many Pragmatists are indeed using Fedora. I would argue that the pragmatists had been using it out of a trust model. They had used Red Hat Linux when it has crossed the chasm, and were using Fedora out of the same trust model. However, Fedora seems to have only been for Early Adopters. Legacy was an added on idea by people who realized that if you are going to put service software in an OS, people arent going to want to upgrade every 6 months. The problem with that is that maintaining an OS is always more effort/cost than creating it. That is why Pragmatists, Conservatives, and Laggards are better suited with an Enterprise linux. The problem with trying to stay on the Early Adopter side is that they will most likely drop you for the next shiney thing (Gentoo 3 years ago, Ubuntu today, xPath in 3 years) Fedora people repeatedly state that the distribution is great for users beyond the tech-enthusiast Earlier Adopters. But without Legacy, it's really not true. To be honest, there are only 2 reasons I use Fedora these days: 1) I drank the Bob Young koolaid long ago, and I am too much an RPM man to change to something else.. and 2) I use Fedora to alpha/beta test for the next/current Red Hat Enterprise. Even if Red Hat does not use Fedora as a alpha/beta test for Red Hat Enterprise.. I and many other people who are RHEL/Centos/etc customers do. I use Fedora because I need to know what the next RHEL will have in it. I use it to see what tools in extras I can pull over to my production systems because I need a plone, git, or other tool for some project. I do like having the nice new distro every 6 to 9 months, but I don't get paid to have it... and I am not longer the young kid who has time to twiddle with all the nobs to find out why something isnt working. * http://www.ericsink.com/Act_Your_Age.html Heh. I hadn't seen that for a long time. Erik Sink was sort of my boss before I went to work for Red Hat. The books Crossing the Chasm and Inside the Tornado should be required reading for anyone dealing with emerging markets. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: lwn article on the death of Fedora Legacy
On 10/19/06, Jesse Keating [EMAIL PROTECTED] wrote: On Thursday 19 October 2006 11:44, Matthew Miller wrote: When Jesse Keating worked at Pogo, that was largely true, but with his duties at RH and with his new kid, it doesn't seem to be the case anymore. I'm sure this is not Jesse's fault -- there needs to be commitment from above, and that's clearly not the case. I think this is really unfortunate, because it makes a big gap in the Fedora ecosystem. This will be largely filled by migration to RHEL-rebuild distros like CentOS, which is well and good (and particularly painless from the end-user point of few) but bad for Fedora. Without a functioning lifespan of over a year, Fedora is only practically useful as an enthusiast, bleeding-edge distro. That's only supposed to be _part_ of its mission. Here is what I think can happen. A) Kill off RHL now. Stop trying to do stuff there when we just don't have the man power or the volunteers. B) Move to using Extras infrastructure for building packages. They're ready for us for FC3 and FC4. C) Move to Core style updates process. Spin a possible update, toss it in -testing. If nobody says boo after a period of time, release the darn thing. If somebody finds it to be broken, fix it and resubmit. D) Move to Core style plan. Figure out what core packages we are going to backport for, and what packages we are just going to push the latest stuff for. Mozilla - Seamonkey Gaim - Gaim latest etc. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Moving Mozilla to Seamonkey
I think it might be a good idea to evaluate a change of Firefox/Thunderbird/Mozilla to the latest tree set. This would mean changing Mozilla to Seamonkey, and moving Firefox/Thunderbird to 1.5.x series. I know this is a big change, but is the time to backport fixes worth the headache in time of bug open in this case? -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: What we're forgetting . . .
On 6/15/06, Philip Molter [EMAIL PROTECTED] wrote: With that said, it'd be nice if right after a release was moved into FC4, the outstanding bugs (not security fixes, but bugs) were addressed. FC2's kernel, for example, has numerous little bugs that were in Bugzilla both before and after the Legacy switch that are easy to fix and have been addressed with both posted patches and later updates that were just never addressed in Legacy. The *perfect* time to do this is right after the switch. Think of it as a stability focus period, and then once all the little things that tend to get ignored by Fedora proper get ironed out (I would think a lot of those things are extremely simple to handle), then the distro is really solid for a lifetime of security updates. It would be nice.. but currently the people doing the code work are probably 4-8 people volunteering their time. You could do a full scale bug-fix and remediation with a team of 8 people who were full-time on fixing bugs.. but that costs at least $1.5 million dollars per year (salaries, benefits, hardware, bandwidth). If we were to take donations on this per say user per year.. we would need about 32000 users at $50.00/per seat. Doing it via volunteers.. I would say you would need anywhere between 32 to 64 coders+QA. I'm a user, not a QA guy, though. I'm not sure if my opinion is valid. -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Friday Flames - What to do with RHL7.3/9 and FC1/2
On 6/13/06, Barry K. Nathan [EMAIL PROTECTED] wrote: On 6/12/06, Stephen John Smoogen [EMAIL PROTECTED] wrote: The old Red Hat support lifecycle was that the last minor release (4.2,5.2,6.2,7.3) was supported until the next last major.minor release was out. Are you sure? I think the actual support lifetimes were longer than that (e.g. 6.2 came out before support for 4.2 was dropped). I could most likely be wrong. I did installation support for a large part of that time, and I didnt remember any 4.2 tickets after 5.2.. So it could have been the a different major.minor release date. Given a 36 month support lifetime what would expected end of life be ReleasedEnd of Life? 4.21997-052000-05 5.21998-102001-10 6.22000-032003-03 7.32002-052005-05 9.02003-042006-04 -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Friday Flames - What to do with RHL7.3/9 and FC1/2
On 6/14/06, Tim Thome [EMAIL PROTECTED] wrote: My last words on the subject... The RH9 GA Release, as far as I can tell, was 03/31/03. Putting RH's timeline for life-cycle, maintenance should be carried on for a minimum of 5 years. I am trying ot find where the 5 years comes from. The only promises of support I remember for 5 years was for people who were paying RHN contracts and that was worded that the updates would be available on the RHN server for 5 years. I think this is probably unreasonable, as the team's resources are limited, which is why we're having this discussion. I agree. The largest burden of engineering costs at any company is maintenance support. My take is that RHEL-2 and RHEL-3 are actually the larger time/money sinks for Red Hat because of this.. I know that trying to get fixes out for RHL5.2 during 6.x was a major pain and caused delays for other things back then. -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Friday Flames - What to do with RHL7.3/9 and FC1/2
On 6/12/06, John Pybus [EMAIL PROTECTED] wrote: Tom Yates wrote: On Fri, 9 Jun 2006, Jesse Keating wrote: RH has not had such a timetable. nothing lasts for ever, so if it's felt we should drop them, i can happily get behind that decision - but i would ask that we give three months' warning. I too have RH7.3 in production use, but feel that it's now getting towards the time to end support. As has been noted in this thread that's a 4 year lifespan. I'm not really impressed in that as an OS lifespan, but in the current security climate, and with the difficulties of maintaining old OSS codebases, that's the way of the world. For a longer supported base in the commercial world, you have always had to pay for it. Microsoft is probably the only one who has put a longer time frame and they are back-peddling on it because it was too costly to try and fix WinME for 7 years. The old Red Hat support lifecycle was that the last minor release (4.2,5.2,6.2,7.3) was supported until the next last major.minor release was out. ?Timeline of Support contracts? ReleasedEnd of Life? LifeTime 4.21997-05 1998-10 ~17 months 5.21998-10 2000-03 ~17 months 6.22000-03 2002-05 ~26 months *1 7.32002-05 ?2004-01 ~20 months *2 9.02003-04 ?2005-01 ~20 months *3 *1) if the series had ended at 7.2 versus 7.3 then it would have been ~17 months again *2) if we go with 17 months then it would have EOL'd at ~2003-10. if we go with 26 months.. it would have EOL'd at ~2004-06. 20 months is an average of all known EOL's. *3) if we go with 17 months then it would have EOL'd at ~2005-09. if we go with 26 months.. it would have EOL'd at ~2005-06. 20 months is an average of all known EOL's. I think that Fedora Legacy has gone well past what Red Hat had done in the past. I of course could have my dates wrong (4.2 might have been supported until 6.0 was released which would give a ~24 month timeline for 4.2/5.2 and a 30 month release for 6.2.) Now, if the world had gone on the old release cycle.. Then we might have seen the following: Projected Timeline of non-existant RHL releases.. Released 04.21997-05 05.01997-10 05.21998-10 06.01999-04 06.22000-03 07.02000-08 07.32002-05 08.02002-10 08.22004-04 09.02005-01 09.22006-07 10.02007-02 I think that at this point giving a 3 month EOL requirement for RHL 7.3/9 is ok.. and if people want to continue support.. then they can fork over the standard $250-$500.00/hour that Legacy support of operating systems has. -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Friday Flames - What to do with RHL7.3/9 and FC1/2
On 6/12/06, Eric Rostetter [EMAIL PROTECTED] wrote: Quoting Jesse Keating [EMAIL PROTECTED]: RHL we agreed to support for a long period of time, however that time may be up. Personally I would really like to see these go, as they take up a lot of our time when trying to push updates, we get very little help, and updates are increasingly more difficult to do. I would like to hear discussion on if we should continue supporting it, how we can make it easier to support, and a reasonable endpoint to the support, an exit strategy. While I have various opinions on whether or not they should go, I'll stick with just some ideas on what we need to do if they do go. First, due to the way we promoted RHL support, if we do decide to drop it, we _MUST_ _NOT_ do so without a reasonable warning period. That is, we can't just decide to drop it and do so immediately. We would need to provide a Jesse mentioned this right after FC4 was released and again when FC5 was out the door. At which point there are a lot of people who come out and say they still need support for RHL-7.3/RHL-9 but other than Pekka seem to disappear again until the next announcement. I am the kettle calling the pot black here.. other than testing the Firefox builds a while back.. I havent had the time to do anything else. From what I can tell from the amount of time it took me to try and get that and some other back-queue items tested.. unless you can honestly say you have 8 hours a week you can devote to a release... asking for it to stay alive is just prolonging the pain. -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Friday Flames - What to do with RHL7.3/9 and FC1/2
On 6/12/06, kles koe [EMAIL PROTECTED] wrote: if i'm correct, the fedora project philosophy is to bring out 'experimental' releases with very short release cycles where as the old RHL releases were official and stable releases. both got picked up by the legacy group for legacy support, which is great ofcourse. so dropping older fedora releases shouldn't be a problem, i mean, nobody would actually run an experimental release as a stable server would they? (i know people are actually doing this but that's the risk they took.) with RHL 7.3/9 it's a different story, lot's of companies installed them on their servers still expecting a certain period of support (what is it currently for RHEL? 7 years?) but then redhat changed course and decided to drop support all together. It is 7 years for support for RHEL, but it was only 18-24 months for the older RHL releases. Both have passed for RHL-7.3 and RHL-9. RHEL-2.1 which is equivalent to RHL-7.3 is now in maintenance support. Come Nov 1st, RHEL-3 will be in maintenance support {e.g. RHEL3U8 will be the last release with hardware updates}. http://www.redhat.com/security/updates/errata/ Looking at the fact that RHEL-3 will go into 'deep-freeze' on Nov 1st, I would consider that the drop dead date for Legacy to drop support for RHL-9. -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: [Fwd: Re: New Mozilla vulnerabilities??]
On 6/9/06, David Eisenstein [EMAIL PROTECTED] wrote: Matthew Miller wrote: On Sat, Jun 03, 2006 at 02:36:13PM -0500, David Eisenstein wrote: It mentions a bunch of vulnerabilities (all of which seem to affect Seamonkey, Thunderbird, and Firefox). After looking at each VU#, it appears that none of the announcements mention the Mozilla suite. Also, at least as of last night, none of them mention any CVE #'s. No updates for Firefox for Fedora Core yet, either https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194617 I heard a rumor the other day that Red Hat Enterprise Linux may be planning to replace Mozilla with Seamonkey in their currently-maintained distros. Am wondering if there is any truth to this rumor? Also wondering if there is anything we in Fedora Legacy can do to help in this process of dealing with these critical Mozilla/Firefox/Seamonkey bugs? Nothing rumour-ish about it. From the Taroon list: Red Hat Enterprise Linux 3 Update 8 *Beta* Availability Announcement ... - Important: Browser re-base from Mozilla to Seamonkey The Mozilla Suite has been replaced by Seamonkey, the internet application suite from the Mozilla Foundation that includes a Web browser, email and newsgroup client, IRC chat client, and HTML editor. Users of the Mozilla Suite are advised to transition to Seamonkey, which offers the same application functionality and shares the same Mozilla Application Suite codebase as the legacy Mozilla Suite, which is no longer maintained by the Mozilla Foundation and subsequently will not be regularly updated for bug and security fixes. While this change has no immediate impact on users other than securing the long-term availability of security fixes, it introduces substantial changes to the Browser API and ABI. Therefore, applications that depend on those APIs (for example, browser plugins) may need to be upgraded as well. Current Firefox plugins will work with the Seamonkey Navigator Web browser. Fedora Legacy bug for these issues: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194440 Congrats to Fedora Extras for getting Seamonkey packages out already! :) Regards, David -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: [Fwd: Re: New Mozilla vulnerabilities??]
On 6/9/06, Josh Bressers [EMAIL PROTECTED] wrote: Matthew Miller wrote: On Sat, Jun 03, 2006 at 02:36:13PM -0500, David Eisenstein wrote: It mentions a bunch of vulnerabilities (all of which seem to affect Seamonkey, Thunderbird, and Firefox). After looking at each VU#, it appears that none of the announcements mention the Mozilla suite. Also, at least as of last night, none of them mention any CVE #'s. No updates for Firefox for Fedora Core yet, either https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194617 I heard a rumor the other day that Red Hat Enterprise Linux may be planning to replace Mozilla with Seamonkey in their currently-maintained distros. Am wondering if there is any truth to this rumor? Also wondering if there is anything we in Fedora Legacy can do to help in this process of dealing with these critical Mozilla/Firefox/Seamonkey bugs? This is true. We're going with seamonkey in RHEL. I think this current round of issues is proof as to why this has to happen. Backporting to the firefox 1.0 branch is nearly impossible given the drastic changes between versions. Right now we're furiously working on backporting patches for the most critical issues. If you want to help mail Chris Aillon ([EMAIL PROTECTED]) with your request. He's currently heading up a small group of various distributors trying to get all this work done. I would say that it is not worth the effort to do that much backporting. I am having to deal with sites that just want to block old Firefox browser strings anyway at their firewalls. So my day job is basically going to be get 1.5.0.4{5,6,7} onto RHL-7.3 - RHEL-4 anyway. My {I am not much of a coder, but have to deal with the mess left over by them} possition would be that getting a modularized javascript interpreter written, debugged, security minded than trying to back-fix things might be a better idea. -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Fedora products, to upgrade rather than backport?
On 5/15/06, Jesse Keating [EMAIL PROTECTED] wrote: So in the RHL space, the choice was clear. Backport whenever possible. However the Fedora landscape is different. Upstream Core does not do backporting, they more often than not version upgrade to resolve security issues. Why should Legacy be any different? If we want to be transparent to end users we should follow what upstream does. I think that we should try and take some reasonable goals for timelines for security: What should our goal be for turn-around time be for a vulnerability? [Off the wall answers below.] Critical: 48 hours Moderate: 168 hours Low: 720 hours Second, how hard is it to backport? Hard: Code is no longer maintained and a quick patch attempt showed lots of collisions and rewrites. Moderate: Code is maintained, but code is different. Low: Patch was given for this version or code is only slightly different. Third, how expert are you (the patcher) on what the vulnerability is, what the code is, and how you are 'stopping' the vulnerability from being there. I think from those three, one could work out a decision tree on backporting or new release. In the case of new releases, we would make it part of the QA process to try and give a quick documentation of changes between old version and new version. Flames? Thoughts? -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQBEaNR24v2HLvE71NURAlEtAJ4j6pIvTI7HWRbEbO08JM1DRdz4EgCcC8fj ZiIA6+ltESrc4RKxmK2298o= =2J1I -END PGP SIGNATURE- -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Fedora products, to upgrade rather than backport?
On 5/15/06, Eric Rostetter [EMAIL PROTECTED] wrote: Quoting Stephen John Smoogen [EMAIL PROTECTED]: Third, how expert are you (the patcher) on what the vulnerability is, what the code is, and how you are 'stopping' the vulnerability from being there. I'm not sure that should come into play per se. Does this explain it better? If you are not familiar with the code base and having to figure out a backpatch by hand (e.g. there is no available one for that release, etc), then how sure are you that you have fixed the security problem without opening another security problem? -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: Fedora products, to upgrade rather than backport?
On 5/15/06, Eric Rostetter [EMAIL PROTECTED] wrote: Quoting Jesse Keating [EMAIL PROTECTED]: Sure, for RHL it is about stability. But with FC it was more about extending the lifespan. And to me, it really doesn't make sense to change the way in which the Fedora Project treats a release just because a different set of folks are touching it. I'm trying to establish a scenario where the Fedora Project as a whole has a certain lifespan for a Fedora (core+extras) release. An end user really shouldn't care how the updates are generated, just that they are published and announced in the same spaces, and that the content of said updates. As long as they don't break more than they fix... I think the problem with defining this is that the QA resources are even more limited than the developer resources. So a lot of problems do not get seen because we have a 3 'worksforme' and no For Cthulhu's sake, don't push this -- Stephen J Smoogen. CSIRT/Linux System Administrator -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list