On Sat, 2006-10-07 at 17:26 -0500, Jason L Tibbitts III wrote: > >>>>> "GS" == Gianluca Sforna <giallu@xxxxxxxxx> writes: > GS> Anyway ( sorry for being clueless ) why should we worry about > GS> legacy distros, instead of leaving that to something like an > GS> "Extras Legacy" SIG? > > And who would do that, exactly? The security team exists to help, but > maintenance of a package on all supported Fedora releases is still > the responsibility of the maintainer of said package. I don't think > that anyone expects maintainers to keep a machine with each OS > revision loaded so that everything can be tested; the community should > be relied on for some of that. But when there are security > problems it's still the maintainer's responsibility to evaluate them > and evaluate the possible solutions and at least get those evaluations > into the relevant bugzilla tickets. No. This is currently nobody's responsibility. Which is a problem which has not yet been adequately addressed. Many Extras contributors have signed on to maintain packages for the currently active releases only (where active does not include Legacy.) Others have no problems with supporting Legacy as well. We don't know how many are in each camp, only that there are squeaky wheels on both sides. We need to discuss that aspect of http://www.fedoraproject.org/wiki/Extras/Schedule/MaintainerResponsibilityPolicy and either make a decision or come up with a plan to make a decision: FESCo votes? Extras Contributors vote? Package by package basis? Greaco-Roman wrestling competition between the leaders on each side? I have several problems with the constant claim that it is the maintainers responsibility to maintain packages until Legacy ends: 1) I didn't sign up for that. Legacy wasn't brought up with relation to Extras until long after I joined. 2) The decision to support for that length of time is not something I had any ability to help determine. If Extras contributors were able to help decide how long Legacy support lasts it would be fair to expect that they would help to make that a reality by maintaining their packages for that length. Since this isn't currently the case, it is unfair to place the burden for supporting that decision on them. This is part of the foundation of opensource: those who do the work make the decisions. 3) The expectations for how a package is maintained while in Legacy mode are different than in the current releases. This requires a different mindset as a packager. Devel and current releases push for "latest and greatest" unless that is known to break something. Legacy releases are more suited for (but don't require) backports for (required criteria) security and serious bug fixes. 4) The package maintainer has to accept help to fix architecture specific problems if offered but isn't responsible for creating the fixes if they have no access to the arches, why is the expectation different for releases that the maintainer does not have access to test on? 5) How many contributors are against being responsible for legacy releases? If it's a small number then we either create the legacy policy and have people that pick up the slack for the few who don't want to do it (or those people will quit the project in disgust and their packages will become orphaned on all releases.) If it's a large number then attempting to hold people responsible for those releases is going to be like trying to bail out a sinking ship with a sieve. -Toshio
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
