Flavio Percoco wrote: > On 04/05/17 11:18 -0400, Jonathan Proulx wrote: >> On Thu, May 04, 2017 at 04:14:07PM +0200, Thierry Carrez wrote: >> :I agree that our current stable branch model is inappropriate: >> :maintaining stable branches for one year only is a bit useless. But I >> :only see two outcomes: >> : >> :1/ The OpenStack community still thinks there is a lot of value in doing >> :this work upstream, in which case organizations should invest resources >> :in making that happen (starting with giving the Stable branch >> :maintenance PTL a job), and then, yes, we should definitely consider >> :things like LTS or longer periods of support for stable branches, to >> :match the evolving usage of OpenStack. >> : >> :2/ The OpenStack community thinks this is better handled downstream, and >> :we should just get rid of them completely. This is a valid approach, and >> :a lot of other open source communities just do that. >> : >> :The current reality in terms of invested resources points to (2). I >> :personally would prefer (1), because that lets us address security >> :issues more efficiently and avoids duplicating effort downstream. But >> :unfortunately I don't control where development resources are posted. > > Have there been issues with downstream distros not addressing security > fixes properly?
No, not at all -- but usually they package upstream vulnerability fixes, which are produced on stable branches. In mode #2 we would only patch master, forcing downstream to do backports for more branches. That is what I meant by "more efficiently". Sorry for being unclear. -- Thierry Carrez (ttx) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev