-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jesse Keating wrote: > So in the RHL space, the choice was clear. Backport whenever possible. > However the Fedora landscape is different. "Upstream" Core does not do > backporting, they more often than not version upgrade to resolve > security issues. Why should Legacy be any different? If we want to be > transparent to end users we should follow what "upstream" does. > > Flames? Thoughts? (1) A backport should be preferred over an outright upgrade in most circumstances. One example, we should not upgrade everyone to gcc-4.x just because upstream decides it fixes or performs better. This would break many things especially kernel trees. 2.4 kernels do not compile with 4.x of gcc and that group doing work on the 2.4 kernel have abandoned any support for 4.x of gcc. (2) System stability should factor into the equation. Many times the bleeding edge of technology is highly unstable or problematic. Like going from apache 1.x --> 2.0 or from 2.0 to 2.2. The large steps often break many things in the switch. My recent endeavor of updating subversion for web-dav for apache was a long process of updating package after package to fill all the new dependencies. Granted, I now have a full update for subversion for FC1 if anyone whats to use it; but, most people wouldn't want to take the chance that something is broken due to inadequate testing. (3) The less changes posed by a backport would be better than the massive amounts of changes in an upgrade or version bump. Which will mean more testing would be required for the later! This is a requirement for any large system changes. That said, even small changes can have a big impact on a system... Take the recent patches to apache for security issues have broken one of the features of Winki. I still am unable to login and have not heard anything from RedHat about any work on fixing this. I'm not bashing anyone on this issue; because it is not a frequently used feature when someone forgets their password. (4) We need to be sure we are not opening everyone up for a bigger problem of some security issue in the future with the newer versions of software. One of Linux's claim to security is the diversity of applications out there and the many differences between all the different versions. Virus writers need a stable platform to do their craft. If we fall into Windows trap of providing a common platform we open up the virus world to the Linux community in large scale attack. Security updates are important, but we also need to have a way of safeguarding the current users against attacks while the solution is merged in in a timely manner and fully tested to fix the problem and proven not to break anything catastrophically. - -James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEadxwkNLDmnu1kSkRAs9QAJwMFvPxcdPTYR1dvq/Cs6qDP5XdxgCbBKYd b6GpiAJm+LKCWqIDhC/CBB0= =fQzC -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
