Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
Eric Rostetter wrote: Quoting Axel Thimm [EMAIL PROTECTED]: The issue is also not the infrstructure IMO, it's simply lack of human resources and either someone needs to assign them to it if that entity (Red Hat/board/whatever) considers that a worthy goal, or the resources need to come from more voluntary people, e.g. FL needs a marketing manager. I think it is both Infrastructure and lack of humans, plus stupid barriers that shouldn't exist. The learning curve is high, people look down at volunteers just because they don't/won't/can't use some technology (e.g. IRC), and there is little effort expended to get people to participate (though much flaming people for not participating). I, for one, appreciate the hard work that you do, Eric. What do you suggest as an alternative for IRC for folks who are not able or interested in using it? Warm regards, David Eisenstein -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
Quoting David Eisenstein [EMAIL PROTECTED]: What do you suggest as an alternative for IRC for folks who are not able or interested in using it? I work in several opensource projects that have IRC channels, and I've never used IRC for any of them, and no one has ever complained about that fact except for here on FL. Instead, I use e-mail (the project mailing lists in all cases, except for here on FL where I sometimes use private e-mail also). Not a real big fan of the private e-mail, but it works here for some FL stuff. I've never had any lack of ability to do anything I wanted using e-mail instead of IRC on any of the projects I've worked on. I'm not knocking IRC. It has some limitations though, such as timezone issues, etc. Plus, some of us work on FL stuff at work, and IRC may be blocked at our work place or disruptive to our work. This can be a real issue for some of us. Hence, I never use IRC/IM at work, and hence since 99% of my opensource work is done at the office and not at home, that means I really can't use IRC/IM for these projects. Now, I think IRC is very useful for some things. For example, if you have a board or core group that has regular meetings, IRC is a great way to have those meetings. But for the typical FL user who isn't a core/board member, it is overkill. And I just don't see why I should be forced to install (IRC) software on my machine, learn how to use it, wonder if the University Network Folks will come knocking on my door because of it, and let it disrupt my work, just so I can ask a question that I can ask via e-mail. Now, e-mail lists have advantages also. A nice, searchable archive of the messages for reference by others, reference for myself later, and as a source for creating the documenation on the issues addressed there. Plus of course the asynchronous nature which allows people in all different time zones to participate, etc. So I'm not for getting rid of IRC, just for making it an additional option and not a required option. Warm regards, David Eisenstein -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Mon, Nov 06, 2006 at 08:21:26AM -0600, Rex Dieter wrote: David Eisenstein wrote: Fedora Board, please take heed. Although providing a stable, long-term operating system/environment is *not* one of Fedora Project's stated goals, the practical lifetime of a Fedora release of 1 year (without Legacy to be there to security-maintain them for (at least) 1 more year) is ... ridiculous -- except for the Linux enthusiast and those who love sliding down the razor-blade of computing. The Fedora Legacy build team seems to be down now to 1 or 2 builders who can push packages to Legacy's updates-testing and updates. OK, I'll bite. What do you want exactly from the Board? Wave our magic Fedora wand to produce more (active) community contributors? OK, lemme see, now where did I leave that darn thing... :) I don't know if the board has power over suggesting to Fedora's sponsor, Red Hat, to resuffle its engineering resources, but if so, then it's a simple equation: If FL is indeed going to get more resources to prolong a Fedora release's lifespan then these resources need to be drained from somewhere. This can't be rawhide and the latest release, but maybe the previous release (like in this timeframe FC5). And it can't be Rex' magic hat either, I think it only produces rabbits and not yet FL contributors. ;) There are a couple of non-security/non-bugfixes updates happening in FC5 right now, that maybe could had been cast into FL4 support. And in the context of sparing resources FL would have to narrow the support matrix to only one FL release. E.g. better to have good support for one release than only half for two. That drops half a year of support, but gains more trust back to FL if security issues within a release can be addressed for that other half year in a timely fashion. -- Axel.Thimm at ATrpms.net pgpVbq54kOKDm.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Mon, Nov 06, 2006 at 08:21:26AM -0600, Rex Dieter wrote: OK, I'll bite. What do you want exactly from the Board? Wave our magic Fedora wand to produce more (active) community contributors? OK, lemme see, now where did I leave that darn thing... I see 2 things that could help: * use the fedora extras build system and procedures. I find legacy procedures very complicated. The legacy procedures have merit, there are more verifications, but maybe such procedures should be used in the future when there is a community. * open fedora core to the community. That way people from the community interested in a package could help maintaining it in core and it would help a lot when it transitions to legacy. Currently core is closed to the community and core maintainers often don't collaborate with the community for packaging issues. In the current situation somebody interested in a package in legacy have to learn everything about that package, knowing that he has no control on the package in current and devel release. Co-maintainership in core with community members would help a lot having somebody still taking care of the package in legacy. -- Pat -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
Axel Thimm wrote: I don't know if the board has power over suggesting to Fedora's sponsor, Red Hat, to resuffle its engineering resources, but if so, then it's a simple equation: If FL is indeed going to get more resources to prolong a Fedora release's lifespan then these resources need to be drained from somewhere. This can't be rawhide and the latest release, but maybe the previous release (like in this timeframe FC5). And it can't be Rex' magic hat either, I think it only produces rabbits and not yet FL contributors. ;) Board can make suggestions, yes. Dictate, no. The board doesnt have the resources in hand to allocate to sub projects. It can set policies and thats the primary work that's being done. If it comes to resources, reshuffling wont work since there is noone working on the previous release that is not working on the current release of Fedora and rawhide too. Its all part of the common pool. If we pull people out of that, we would effectively reducing the amount of movement forward. It would be possible to recommend that Red Hat hire *new people* to work solely on legacy but justifying that is harder compared to active upstream or new release development. Unifying and opening up more of the infrastructure and other ideas like that only doing critical security fixes are things to look at. Rahul -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Tue, Nov 07, 2006 at 11:46:37PM +0530, Rahul Sundaram wrote: Unifying and opening up more of the infrastructure and other ideas like that only doing critical security fixes are things to look at. But FL's charter is already to only cater about security fixes, or do you imply to categorize them and allow some to slip? E.g. allow local priviledge escalation, but fix remote exploits? I don't think that's a good FL manifesto. Allowing non-critical security issues to exist will only harm the project's front to the public more. The issue is also not the infrstructure IMO, it's simply lack of human resources and either someone needs to assign them to it if that entity (Red Hat/board/whatever) considers that a worthy goal, or the resources need to come from more voluntary people, e.g. FL needs a marketing manager. Or the need for resources is cut by reducing the number and time span of supported releases. -- Axel.Thimm at ATrpms.net pgpIWeDderKt5.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
Quoting Axel Thimm [EMAIL PROTECTED]: The issue is also not the infrstructure IMO, it's simply lack of human resources and either someone needs to assign them to it if that entity (Red Hat/board/whatever) considers that a worthy goal, or the resources need to come from more voluntary people, e.g. FL needs a marketing manager. I think it is both Infrastructure and lack of humans, plus stupid barriers that shouldn't exist. The learning curve is high, people look down at volunteers just because they don't/won't/can't use some technology (e.g. IRC), and there is little effort expended to get people to participate (though much flaming people for not participating). There is also an emphasis on getting people to only help with QA, which is rather bad. If you can get people to start helping however they feel they can, they will generally and eventually start helping in other areas. But people generally need encouragement, and not flame wars, insults, and barriers. Or the need for resources is cut by reducing the number and time span of supported releases. An option, but it only makes the limited resources go further, when what we really need are more resources... -- Axel.Thimm at ATrpms.net -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Tue, Nov 07, 2006 at 04:54:34PM -0500, Jesse Keating wrote: On Tuesday 07 November 2006 16:47, Axel Thimm wrote: The issue is also not the infrstructure IMO, it's simply lack of human resources Well, if the barrier to contribute was lower, getting more people would be easier. If it were say as easy as using the Extras build system so that any current Extras contributor could easily become a Legacy contributor as well... This is what I'm working towards. It's certainly worth while attacking this way, but I think it will not be enough. Let's hope I'm wrong. -- Axel.Thimm at ATrpms.net pgpcVFDQZoUHJ.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
Axel Thimm wrote: On Tue, Nov 07, 2006 at 11:46:37PM +0530, Rahul Sundaram wrote: Unifying and opening up more of the infrastructure and other ideas like that only doing critical security fixes are things to look at. But FL's charter is already to only cater about security fixes, or do you imply to categorize them and allow some to slip? E.g. allow local priviledge escalation, but fix remote exploits? I don't think that's a good FL manifesto. Allowing non-critical security issues to exist will only harm the project's front to the public more. Not really. It is better than not pushing updates at all. See https://www.redhat.com/archives/fedora-security-list/2006-October/msg6.html The issue is also not the infrstructure IMO, it's simply lack of human resources and either someone needs to assign them to it if that entity (Red Hat/board/whatever) considers that a worthy goal, or the resources need to come from more voluntary people, e.g. FL needs a marketing manager. Lack of human resources is also a result of higher barrier to entry. New people need to be able to contribute easily. Existing contributors in other sub projects like extras need to able to do that. Unifying infrastructure and automating more of the tasks helps in both ways. Or the need for resources is cut by reducing the number and time span of supported releases Just as reducing time span is a option, classification of vulnerabilities and working on critical ones after a time span is also a option that needs to be considered. Rahul -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
Eric Rostetter wrote: Quoting Axel Thimm [EMAIL PROTECTED]: The issue is also not the infrstructure IMO, it's simply lack of human resources and either someone needs to assign them to it if that entity (Red Hat/board/whatever) considers that a worthy goal, or the resources need to come from more voluntary people, e.g. FL needs a marketing manager. I think it is both Infrastructure and lack of humans, plus stupid barriers that shouldn't exist. Agreed... getting people to participate is one thing, but the effort to contribute is a bit high at the moment, considering that most folks are making this part of their spare time... It's also about organizational leadership, which to be honest, I do find lacking... there is no specific plan, no accountability/responsibility, no visible means to release into testing and production. To be honest, Legacy is pretty much borken as an organization at the people level. Folks want/need to know what to do, who does what, and how things work. This may be an implied thing at the moment, but speaking from somebody looking in from the outside, I have to ask why bother? 1) Packagers - this is important obviously 2) Testers - packagers should not be testers, but testers should be defined 3) Releaser Management - once QA is done, somebody needs to release the package to the production tree... The three roles are very different, and these need to be filled by different people, i.e. no overlap in responsibility... The learning curve is high, people look down at volunteers just because they don't/won't/can't use some technology (e.g. IRC), and there is little effort expended to get people to participate (though much flaming people for not participating). The bar is pretty high to get in, and this is intimidating for those who lack experience with items outside of the course of their normal usage. Not to say that folks could not rise up to the challenge, it's just that the path is poorly documented, and the tools are, to be honest, a bit tough to use. Again, it comes down to who and how... There is also an emphasis on getting people to only help with QA, which is rather bad. If you can get people to start helping however they feel they can, they will generally and eventually start helping in other areas. But people generally need encouragement, and not flame wars, insults, and barriers. Bingo... thing is that QA is the end of the line, and the one most needed and least respected by the folks that build packages. One thing that is very important, as the base of folks that would be potential QA candidates is to: 1) spell out what is needed - what is the problem and fix, how to test it? 2) how to use the systems - how to mark tested, reopen, open new bugs For the packagers... how to package for a release. I maintain my own boxen, so when a security issue pops up, I download source or make the fix locally. How to build a package and release it into testing remains somewhat of a mystery... I'd be happy to do so, if it were documented somehow. Or the need for resources is cut by reducing the number and time span of supported releases. An option, but it only makes the limited resources go further, when what we really need are more resources... More resources is not the answer - better management of the resources that are on board, and better tools to manage the process is what is needed. The process itself needs to be defined and clarified. Tim -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
- Original Message - From: Thorsten Leemhuis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 03, 2006 9:19 AM Subject: Re: [fab] looking at our surrent state a bit == MISC == * I got the impression (and LWN readers, too [hello corbert! ]) that Fedora Legacy is not able to do it's job properly. Maybe it's time to just revamp the whole project? How? Give it a fresh start, a new name (because the Term Fedora Legacy has such a bad fame now), maybe try to get the load reduced (only support releases with odd number for a longer time, drop old releases). Current Fedora Legacy status: see http://fedoraproject.org/wiki/Legacy/Status Thank you, Thorsten, for having the guts to say it -- at least about Legacy's reputation/infamy now. Of course, corbet had the guts to say it first here: http://lwn.net/Articles/204722/. Thanks, corbet. It needed to be said. The Fedora Project NEEDS Fedora Legacy! I repeat: The Fedora Project NEEDS Fedora Legacy in order to be a viable Linux distribution to be used for anything other than pushing the latest and greatest software out the door for Linux afficianados to play with and submit bugzilla tickets for. As Matthew Miller said at the beginning of Fedora Legacy's thread lwn article on the death of Fedora Legacy, Without a functioning lifespan of over a year, Fedora is only practically useful as an enthusiast, bleeding-edge distro. That's only supposed to be _part_ of its mission. -- http://tinyurl.com/ycl3zp Fedora Board, please take heed. Although providing a stable, long-term operating system/environment is *not* one of Fedora Project's stated goals, the practical lifetime of a Fedora release of 1 year (without Legacy to be there to security-maintain them for (at least) 1 more year) is ... ridiculous -- except for the Linux enthusiast and those who love sliding down the razor-blade of computing. The Fedora Legacy build team seems to be down now to 1 or 2 builders who can push packages to Legacy's updates-testing and updates. I am one of that team now, and am the slowest, most pedantic RPM packager/signer/pusher that you'd never wanna meet. The most sure-fire way of killing Fedora Legacy is to let me be the only one doing this essential activity with Fedora Legacy Core packages that need security updates in a timely fashion. Is this really what the Fedora Board and Red Hat wants? Although I am amid working with pushing a gzip security bug ( http://tinyurl.com/yhvh4a ) to updates-testing in the last few days, in general, Legacy Security Updates for FC3 and FC4 are simply not happening. Hopefully by Tuesday or so, this FC3/FC4 bug will at least be in updates-testing for folks to play with and judge, so it can quickly be pushed to updates (only about 2 months after Red Hat Enterprise Linux pushed similar security updates on these issues). In the history of the Fedora Legacy project, IMNSHO it has not been often that updates have been released quickly to end-users (after an security hole has been made public), unless there was a hue-and-cry over on the Fedora-legacy-list about, say, sendmail or some other server program that might allow, say, remotely-controlled anonymous root access to someone's box. I would love to see Fedora Legacy (by that name or any other name) take off and prosper, and be a real boon to users of maintenance-mode Fedora Core (and Red Hat Linux -- yes, we are continuing to roll some updates to RHL 7.3 and RHL9 until December ... um ... at least I think we are??). But as some folks have clearly said, until it does, at least to take care of the *critical* security bugs (letting the moderate or important or low-security-impact bugs slide until we have the manpower to handle them) -- THE EXISTENCE OF FEDORA LEGACY IS PROVIDING A FALSE SENSE OF SECURITY FOR OUR END-USERS ... at least at this time. If you don't believe that -- look at this article about Fedora Core 6 on eWeek Magazine's web-site, by the excellent writer, Jason Brooks: http://www.eweek.com/article2/0,1895,2048117,00.asp It's not the article, really, that proves my point. It's the article's talkback. I wish what commenter unoengborg was saying were true. Really, really, really wish. But it ain't -- not yet. Will it ever be? That's up to you, dear reader. I would like to propose a time folks interested in a vital and alive (even revamped) FedoraLegacy project can come on over to IRC (freenode.net) and sit and yack awhile, brainstorming and struggling with these issues. I plan to be online over on channel #fedora-legacy around 10am CST for at least two hours every day this week. Come by. Come chat. Come yell! Just come! We need your help! Thank you. Warm regards, David Eisenstein -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Monday 06 November 2006 06:21, Rex Dieter wrote: David Eisenstein wrote: Fedora Board, please take heed. Although providing a stable, long-term operating system/environment is *not* one of Fedora Project's stated goals, the practical lifetime of a Fedora release of 1 year (without Legacy to be there to security-maintain them for (at least) 1 more year) is ... ridiculous -- except for the Linux enthusiast and those who love sliding down the razor-blade of computing. The Fedora Legacy build team seems to be down now to 1 or 2 builders who can push packages to Legacy's updates-testing and updates. OK, I'll bite. What do you want exactly from the Board? Wave our magic Fedora wand to produce more (active) community contributors? OK, lemme see, now where did I leave that darn thing... -- Rex a confession of inadequacy is more of a preliminary than an answer Dave -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list -- How are nations ruled and led into war? Politicians lie to journalists and then believe those lies when they see them in print. —Austrian journalist Karl Wiegand, explaining the causes of the First World War. -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Monday 06 November 2006 09:59, Dave Stevens wrote: a confession of inadequacy is more of a preliminary than an answer Confession how? How would it be any different from the Fedora Legacy project itself from making some sort of 'confession' ? The unfortunate problem is ours to solve. -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) pgpYFyMtloKhA.pgp Description: PGP signature -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave Stevens wrote: a confession of inadequacy is more of a preliminary than an answer Dave Sorry, to butt in Maybe, what we need to do is have a re-organization of the idea of FedoraLegacy instead of trying to overtax anyone. Or chase anyone away from helping. Just some proposals: (1) Every new release into fedora legacy should start with a collection of a group to manage the packages for that version. And only that version to help alleviate getting overwhelmed with multiple platforms, dependencies, etc. Yes, I know this may cause issues, but, it may be better than the current situation of lagging releases and other dependencies slowing the release of one package or another for each platform. Or having to just drop everything causing more problems for others wanting updates. (2) Each FC version can be maintained by a different group, pushing, etc the updates for that version only. Of course, we can have a supper user able to verify and validate everything pushed through by the group (RH). (3) Make it easier for people to get involved. Having a list of packages and maintainers is OK, but, having a few people managing large numbers of packages is very difficult. I'd say a limit of 5-10 packages may be reasonable any more than that will cut out others from helping. (4) Everyone needs to follow some rules when releasing anything for testing...! Very important. (a) Email this list!! (b) Include the bugzilla ID and or link to post checks against the package. (c) Try to include any steps to produce the problem reported by CVE. or have a link to such documentation to be sure the fix actually fixes the issue. (5) Everyone verifying packages: (a) Verify installation of the packages. (b) Be sure the applications still WORK. Installation is not the only thing that should be verified. (c) Be sure to check to be sure nothing is broken, to your ability. Lastly, we really need to work together more! - -James -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFT1MXkNLDmnu1kSkRAoLlAJ0bBTehG2QWSIHR7CL6kFBEnzH4zQCfatSn IlLIMFJzx7feFYY3rEXOLxE= =xn5n -END PGP SIGNATURE- -- Scanned by ClamAV - http://www.clamav.net -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Re: You Need Fedora Legacy!! Re: [fab] looking at our surrent state a bit
On Mon, Nov 06, 2006 at 10:04:06PM -0500, Matthew Miller wrote: Additionally, the project simply needs at least one person who manages the project as a full-time job. And by needs, I mean: I'm very skeptical that it can be viable without this. While the project was in its most functional stage, Jesse Keating was basically doing this, and without, it collapsed. * If no such person can be found, I think it's most responsible to declare the experiment completely failed. [*] And, I suspect that the extent to which he had other things to do in his job at Pogo Linux correlates pretty well with the extent to which the project could have improved further at that stage. -- Matthew Miller [EMAIL PROTECTED] http://mattdm.org/ Boston University Linux -- http://linux.bu.edu/ -- fedora-legacy-list mailing list fedora-legacy-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-legacy-list