Rahul Sundaram wrote:
Since we cannot give a definitive time period, because it is volunteer
based, it is better not to give one.
It is possible for volunteer based projects to give a better timeframe
than merely a ad-hoc maintenance policy. We need to do this in a more
organized way for end users to take advantage of this. If say the kernel
or ssh isn't maintained and has security issues, would it really be
useful for some of the other core packages to get updates?
Packages other than the kernel, ones that provide network services, and
ones that run setuid are fairly unlikely to cause serious security problems.
For two releases and a month (approx 13 months), we do the full
updates as we are doing currently. For another say 5 months or till
the next release we do only security fixes and very major bug fixes
(as in crashes all the time sort of bugs). We don't necessarily
backport or guarantee ABI
We don't have the manpower for that.
How do we really know that? I don't think anybody has really looked at
the man power required for doing just critical security fixes for a few
months more.
The package maintainer might also have the option of replacing the EOL'd
fedora package with one rebuilt from the CentOS distro (centosplus for
the kernel) or the currently maintained fedora version so as not to have
to continue to backport security patches separately.
--
Les Mikesell
lesmikesell@xxxxxxxxx
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
