Re: Legacy in Build Roots

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le Sam 5 août 2006 17:38, Toshio Kuratomi a écrit :
> On Sat, 2006-08-05 at 11:16 +0200, Nicolas Mailhot wrote:
>> Le vendredi 04 août 2006 à 17:50 -0700, Toshio Kuratomi a écrit :

Hi Toshio,

I'm sorry I took so long to answer, I've spent all too much time
contemplating the inadequacy of my answers given the time I could spend on
them these days. So in the end I decided a bad reply was better than no
reply at all.

>> Without the split I for example would not have been maintaining my
>> packages forever but would have stopped maintenance much sooner (only
>> doing rawhide + current).
>>
> Is this true even if there was a split in the level of support?  The
> same packager owns the package from inception to True EOL but there's a
> place in the middle where maintenance goes from "new features, bugfixes,
> upgrades" to "fix security issues only"?

Even "fix security issues only" requires tracking the project and how it
interacts with old  Fedora releases. Given that a lot of Extra packagers
to not patch code this "low level support" is probably almost as much work
than "normal level support". Third party repos which do support old
releases support them the same way as new releases for this reason.

> I'm wondering if the difference in audience and mindset
> is large enough that most packages will require two owners or if "fix
> security issues" is a small enough amount of work and important enough
> issue that packagers for current releases would be willing to be
> responsible for that.

I'd qualify a security issue release twice the work (or more) of a normal
package release, so commiting to doing them is no light decision.
(speaking as someone who did make CERT-related package releases)

A security alert won't happen at a convenient time. It will require
immediate action. It will require tracking upstream and other distro
forums closely to get the right fix. It may require good CS skills to
evaluate/apply the fix. It will wreak havoc in the personnal life of
anyone not doing Fedora packaging as his day job.

> In other words what should be our default expectations?  Do we need an
> FE-Legacy group and any current packagers that want to can step in to
> help or do we have the kind of setup we have now: Package owners are the
> primary line of defense in fixing security issues (and breakage that
> falls out of that) and other groups (Security team and Dennis Gilmore
> currently) step in when the owners bow out?

There is little to no reward for people not interested in Legacy for doing
Legacy work (in fact there is a serious disencentive exactly as for core
as it will make more people use releases the packager does not care about
instead of the ones he uses/needs)

Legacy takes commitment, and unvoluntary commitment (like getting everyone
in Legacy instead of making the effort to recruit actual volunteers) will
only lead to orphan discoveries at the most inconvenient times.

> Also note: If Extras packagers are expected to fix issues on Legacy
> builds Extras packagers should get input on how long Legacy releases
> were to last.  Legacy is not forever, there is a true EOL.  If Extras
> packagers are doing work on Legacy, then they need to have a voice in
> how long Legacy lasts.

In other words one way or another Extra packagers doing Legacy work needs
to be part of an Extras Legacy group.

Honestly at this point I feel refusing to create Extras Legacy is just
refusing to admit how few people are interested in such a group.
Unmotivated people won't ever make a rapid response force in case of
security problems

>> In a volunteer project rules do not affect the amount of work people do.
>> They only affect how the volunteers whose to allocate it. Spreading the
>> available work budget over more releases will only benefit Legacy. The
>> Legacy people should remember however a smaller Extras will mean less
>> Fedora users and less Legacy users.
>
> I agree with this.  So another way of phrasing this debate would be: Do
> Extras packagers want to spend their time fixing older releases or
> creating more packages?

The only realistic way to know it is create a formal Extras Legacy group,
and let people who want to spend their time fixing older releases join it.

If you don't create it you won't get any more motivated people and (as a
bonus) will lose any level of consistency between the support level of
packages for the releases Extras covers today.

Regards,

-- 
Nicolas Mailhot

--
Fedora-maintainers mailing list
Fedora-maintainers@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers

--
Fedora-maintainers-readonly mailing list
Fedora-maintainers-readonly@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly

[Index of Archives]     [Fedora Users]     [Fedora Development]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux