On 09/18/2014 05:15 PM, Eric Blake wrote: > On 09/18/2014 02:36 AM, Daniel P. Berrange wrote: >> On Wed, Sep 17, 2014 at 04:24:07PM -0600, Eric Blake wrote: >>> Any objections to retiring the v0.9.6-maint branch? After all, we have >>> already retired the v0.9.11-maint branch >>> (http://libvirt.org/git/?p=libvirt.git;a=commit;h=cd0d348ed), and the >>> only activity on v0.9.6-maint since 0.9.6.4 was released in January 2013 >>> was the backport of a single CVE fix. The branch no longer builds >>> cleanly on Fedora 20, and while I could identify patches to backport to >>> fix the build situation, it's not worth my time if we can just retire >>> the branch. >> >> FWIW, I'm not really a fan of deleting the branches. Is there any harm >> to just leaving it there idle ? > > The branches aren't deleted, per se, just a new commit added on top of > the branch that declares the intent. For example, all you see if you > check out v0.9.11-maint is this README file: > > http://libvirt.org/git/?p=libvirt.git;a=blob;f=README;h=68aeed1ae7d131661f2ba07eff1b4ae16ac4f3b8;hb=cd0d348ed > > The branch would still usable by checking out v0.9.11-maint^ as a > detached head, so the history is still there. All I'm proposing is > documenting that we aren't going to try and port security fixes to the > branch any longer, because no one appears to be actively using it. > I think we need to be clearer what and how is maintained on the website. The Security Process [1] states: > The libvirt community maintains one or more stable release branches at any > given point in time. The security team will aim to publish fixes for GIT > master (which will become the next major release) and each currently > maintained stable release branch. The distro maintainers will be > responsible for backporting the officially published fixes to other release > branches where applicable. But in practice, CVE fixes are pushed to all -maint branches, not just those with releases. http://libvirt.org/downloads.html mentions that supported -maint branches are considered during CVE analysis, but it's unclear on the definition of support. This paragraph about hourly snapshots: > These snapshots should be usable, but we make no guarantees about their > stability; furthermore, they should NOT be considered formal releases, and > they may have transient security problems that will not be assigned a CVE. may give the impressions that the CVEs are fixed in the maintenance releases, even when they're only backported on the branches. (The wiki [2] lists past maintenance releases, but no indication whether there will be more releases). Since stable releases were made out of 0.9.6, I think we should mention on the wiki/download page, that no more releases are going to be made and they are no longer supported (same for 0.9.11 and maybe 0.10.2 too?), in addition to/instead of deleting the content of the branch. (Also, maintaining 20 releases is IMHO a waste of time, personally I only backport my important fixes to the latest Fedora release where I know it will be picked up in the next release and the latest -maint branch. Does anyone use the -maint branches without maintenance releases? IIRC they were created for Gentoo, but it looks like all the current versions use the vanilla sources, with no backport from the maint branches [3]). Jan [3] http://packages.gentoo.org/package/app-emulation/libvirt [2] http://wiki.libvirt.org/page/Maintenance_Releases [1] http://libvirt.org/securityprocess.html
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list