Hi all,
after reading Warrens drafts and the answers I'm getting the impressions
that this projects start way to complicated. Let us just follow the KISS
principle (keep it simple stupid). As Fedora-Legacy only exists to
handle security updates and is not intended to introduce new features to
EOLed distributions we should really focus on the essentials. For me
this means NO rpm upgrades.
Regarding RH8, this is totally infeasible. If the community demands that RH8 is not upgraded, then I personally have zero reason to work on this project.
RH9 is less of a problem, but deadlocks still were common enough there that I really feel upgrading is wise. It would also have the benefit of allowing the use of 2.6 kernels without the annoying O_DIRECT problem.
Ultimately it is terrible that we must continue to this day to tell people to manually kill their rpm processes and delete the lock files whenever this happens. Upgrading RH8 and RH9 rpm will simply make these problems go away, and the benefits far outweigh the risks here.
Just use the infrastructure and tools that Red Hat gave us with their distributions.
I very strongly oppose this, and below is why.
Updated packages should primarily be available via HTTP/FTP. Progeny also will focus on HTTP first. If someone can provide RSYNC, APT or YUM repositories later this would be fine but it is not needed in the first place.
1) The RH8 and RH9 repository has already been launched, and there have been mirrors and users for something like the past 9 months. apt and yum are already supported. The same will soon be launched for RH7.x.
2) Regarding "infrastructure and tools", it is infeasible to use the tools that come with those older distributions because that would require running a server like current. current just does not scale well, and far fewer mirrors would be willing to use it.
up2date from FC1 could be backported, but nobody even mentioned putting forward the work to do that yet.
There is also the fact that apt and yum are vastly superior to up2date in most ways, thus we should use the best tools available.
Personally I can offer to do package QA testing and bug reporting. I have access to RH 7.2/7.3/8.0 test servers and already do a little bit QA on some of the fedora.us packages.
Excellent.
How shall we handle security alert notification to the developers? Can we expect that everyone monitors all major (open) security mailing lists ? At least I do so.
Yes, and any knowledge already in the wild should be posted to the legacy list for discussion. Some of us may be on private security lists, and we will need to create policies for handling this "secret" knowledge. Please suggest such policy.
Warren