| Accidently sent off-list. Resent. On Friday, March 12, 2010, 3:05:18 PM, Tuju wrote: > On Fri, 12 Mar 2010, Matthew Garrett wrote: >>> RHEL has the resources to backport. Centos uses those backpotrs for >>> free, but does not generate them (unless again the party supporting a >>> component for Centos happens to be upstream in RHEL). >> >> Debian has historically managed this. I really don't buy the argument >> that security or other critical fixes are generally difficult to >> backport. > I thought that this is was reason why there is a package maintainer > exists in the first place, to maintain the package (not the > content): In the likely event that package maintainer is a volunteer, again there may be limited (or no resources/time to backport). It may have to wait a few weeks due to real life issues (kids, spouse, pets, day job). > So in case fedora's users suffer from a security bug, the maintainer > collects the facts (what version, how many users are affected, > important details from bug reports and debugging information, etc), > talks to upstream and if the security bug is not backported, (s)he > asks upstream to do so. They probably has the best skills to do so. In the likely event that upstream is also a volunteer (and perhaps one and the same person as the package maintainer), the same issues will arise. > I don't see how this wouldn't be everyone's interest, even from the > upstream point of view. They most likely don't want such reputation > that their software is dangerous to use. These folks are not running a 24/7 business staffed with trained resources sitting idle (paid for by licence fees) waiting for your problem reports. I was with IBM for 23 years (shop floor control, debuggers, compilers) and most non-OS software problems were addressed by the developers during regular office hours and perhaps weekends. Anyone who thinks that free software should have an instantaneous turnaround for free support isn't being realistic. The developers may even want to provide that... but that is not reality. > Unless the maintainer has issues with communication and social > skills, this could very well be a problem and not that far fetched. > I wonder, how many maintainers have even sent a short email to > upstream and said: > "hello, thank you for coding this cool software with opensource > license. I'm packaging it now to Fedora, please send me > announcements etc and please don't hesitate to contact me if you > have something in mind, I'm your contact at this end". > Frankly, if you ask me, I rather take all backporting done by > someone who actually knows what he's doing. And same goes with > packaging. I think we're in "I want a pony" territory. > What comes to KDE's "there won't be anymore bugfix releases after > new feature release" - so what? How many real security issues has > there been in history? Five? Ten? I bet those all would be > backported by upstream if community size of Fedora would really need > them. Everyone who cannot wait those couple months, can do checkout > and compile themselves. > Tuju When was the last time you tried to build all of KDE? As much as I may disagree with Kevin on some points, what he does is nontrivial. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
