Le Sam 5 août 2006 17:38, Toshio Kuratomi a écrit : > On Sat, 2006-08-05 at 11:16 +0200, Nicolas Mailhot wrote: >> Le vendredi 04 août 2006 à 17:50 -0700, Toshio Kuratomi a écrit : Hi Toshio, I'm sorry I took so long to answer, I've spent all too much time contemplating the inadequacy of my answers given the time I could spend on them these days. So in the end I decided a bad reply was better than no reply at all. >> Without the split I for example would not have been maintaining my >> packages forever but would have stopped maintenance much sooner (only >> doing rawhide + current). >> > Is this true even if there was a split in the level of support? The > same packager owns the package from inception to True EOL but there's a > place in the middle where maintenance goes from "new features, bugfixes, > upgrades" to "fix security issues only"? Even "fix security issues only" requires tracking the project and how it interacts with old Fedora releases. Given that a lot of Extra packagers to not patch code this "low level support" is probably almost as much work than "normal level support". Third party repos which do support old releases support them the same way as new releases for this reason. > I'm wondering if the difference in audience and mindset > is large enough that most packages will require two owners or if "fix > security issues" is a small enough amount of work and important enough > issue that packagers for current releases would be willing to be > responsible for that. I'd qualify a security issue release twice the work (or more) of a normal package release, so commiting to doing them is no light decision. (speaking as someone who did make CERT-related package releases) A security alert won't happen at a convenient time. It will require immediate action. It will require tracking upstream and other distro forums closely to get the right fix. It may require good CS skills to evaluate/apply the fix. It will wreak havoc in the personnal life of anyone not doing Fedora packaging as his day job. > In other words what should be our default expectations? Do we need an > FE-Legacy group and any current packagers that want to can step in to > help or do we have the kind of setup we have now: Package owners are the > primary line of defense in fixing security issues (and breakage that > falls out of that) and other groups (Security team and Dennis Gilmore > currently) step in when the owners bow out? There is little to no reward for people not interested in Legacy for doing Legacy work (in fact there is a serious disencentive exactly as for core as it will make more people use releases the packager does not care about instead of the ones he uses/needs) Legacy takes commitment, and unvoluntary commitment (like getting everyone in Legacy instead of making the effort to recruit actual volunteers) will only lead to orphan discoveries at the most inconvenient times. > Also note: If Extras packagers are expected to fix issues on Legacy > builds Extras packagers should get input on how long Legacy releases > were to last. Legacy is not forever, there is a true EOL. If Extras > packagers are doing work on Legacy, then they need to have a voice in > how long Legacy lasts. In other words one way or another Extra packagers doing Legacy work needs to be part of an Extras Legacy group. Honestly at this point I feel refusing to create Extras Legacy is just refusing to admit how few people are interested in such a group. Unmotivated people won't ever make a rapid response force in case of security problems >> In a volunteer project rules do not affect the amount of work people do. >> They only affect how the volunteers whose to allocate it. Spreading the >> available work budget over more releases will only benefit Legacy. The >> Legacy people should remember however a smaller Extras will mean less >> Fedora users and less Legacy users. > > I agree with this. So another way of phrasing this debate would be: Do > Extras packagers want to spend their time fixing older releases or > creating more packages? The only realistic way to know it is create a formal Extras Legacy group, and let people who want to spend their time fixing older releases join it. If you don't create it you won't get any more motivated people and (as a bonus) will lose any level of consistency between the support level of packages for the releases Extras covers today. Regards, -- Nicolas Mailhot -- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers -- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
