On 2014-09-30 02:39:08 +0300 (+0300), George Shuklin wrote: [...] > Security fixes should be continued at least twice longer than normal > bugfixes.
You might think that, but we can only support and release security fixes for software if we can test it. The unfortunate truth is that as soon as we stop updating stable branches to accommodate changes in clients and dependent libraries outside of these branches, they cease working almost immediately and are untestable. > This model (all important bugfixes released and than no any kind > of security fixes at all) is just looking like yummy cake for > 'redistributors' - but no one know if they are capable to backport > all new fixes or not... In fact, those distributors are our stable branch maintainers. Like it or not, the software is written by collaborators, and someone has to do the work to backport any fixes (security or otherwise). Unlike many free software projects, a few members of the OpenStack community actually manage to come together and keep prior releases working for a time, backport important fixes to them, et cetera. The overwhelming majority of free software projects do not bother at all. A couple times a year we review our collective ability to provide ongoing support for old releases, based on historical trends for when developers have ceased caring about the fixes necessary to keep such things working, and plan out stable point release schedules taking those realistic limitations into account. If you are sincerely interested in helping with this task, I strongly recommend getting involved with the stable branch maintainers. https://wiki.openstack.org/wiki/StableBranch#Joining_the_Team > You can say 'go and upgrade', but usually fresh version of > openstack is just too raw and buggy. Example: bug in neutron > (havana) which cause instances to loose networking on reboot was > fixed year after initial release. And security support was dropped > right after that release. This is also a fair criticism, and will only improve with help from you and other interested developers. -- Jeremy Stanley _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
