On 01/23/2014 12:26 PM, Daniel P. Berrange wrote: > On Wed, Jan 22, 2014 at 12:13:48PM -0700, Eric Blake wrote: >> On 01/15/2014 01:43 PM, Eric Blake wrote: >> >>> Is anyone still using v0.9.11-maint? The CVE extends back to 0.9.8, so >>> we could argue that we should either fix the 0.9.11 branch, or add >>> another commit to the branch that explicitly marks it as end-of-life >>> because no one appears to be relying on it. Fedora 18 is now >>> end-of-life, so from Fedora's perspective, I only care about 0.10.2 >>> (RHEL and CentOS 6), 1.0.5 (F19), 1.1.3 (F20) and soon 1.2.1 (rawhide), >>> although I didn't mind touching all the intermediate branches on my way >>> down to 0.10.2. RHEL 5 is also vulnerable to CVE-2013-6458, but as we >>> don't have an upstream v0.8.2-maint branch (thank goodness!), that's >>> something for Red Hat to worry about. >> I've gone ahead and marked v0.8.3-maint and v0.9.11-maint as closed (I'm >> not posting the actual patch here, but it was done by 'git rm -f \*' >> followed by recreating .gitignore and a placeholder README that mentions >> the death of the branch). > FYI for openstack I examined the current libvirt versions in some > major distros: > > https://wiki.openstack.org/wiki/LibvirtDistroSupportMatrix After seeing that list, I thought an "end of life" column could be interesing, but then realized the only bit I was interested in was how long we will need to put of with the oldest version on the list. As far as I can tell, Ubuntu 12.04 LTS is scheduled for EOL in April 2017 (date from here: https://wiki.ubuntu.com/Releases ), so I guess *somebody* has to care about libvirt-0.9.8 until 2017 (of course we don't have a v0.9.8-maint branch anyway, so that's not likely going to happen within upstream infrastructure) -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list