On Wed, Apr 27, 2016 at 4:00 AM, Stephen Gallagher <sgallagh(a)redhat.com&gt; wrote: The whole thread is based on this wrong assumption. Quoting from the update policy [1]: "If upstream does not provide security fixes for a particular release, and if backporting the fix would be impractical, then a package may be rebased onto a version that upstream supports. The definition of practicality is left to the judgment of FESCO and the packager. " And from the discussion that seems to be the case here so I'd opt for 4) Leave 5.x in and once it becomes EOL and a security issues comes up update to 6.x mid release. It would have had been tested in rawhide (and possible COPR) in the meantime which would minimize the impact. 1: https://fedoraproject.org/wiki/Updates_Policy#Security_fixes

On Tue, Apr 26, 2016 at 8:00 PM, Stephen Gallagher <sgallagh(a)redhat.com&gt; wrote: Ok well they all sound like a shade of terrible for one reason or another, so I'll suggest one maybe more terrible so that in comparison these three sound better. Ship 5.x and basically plan on abandoning it when upstream does, i.e. no plan at all, in advance, to do security fixes beyond upstream's date. If they happen, it's a bonus. Kinda reminds me of this Red October quote from Cpt Ramius: "When he reached the New World, Cortez burned his ships. As a result his men were well motivated." Meanwhile 6.x goes into copr now and can "ship" voluntarily at anytime in the life of Fedora 24. Include the plan in the release notes and common bugs, and ask volunteers to point this out in particular on upstream's EOL day for 5.x as a friendly reminder on the usual forums and such. -- Chris Murphy

On 27/04/16 03:00, Stephen Gallagher wrote: Off the top of my head I'm not aware of anything that requires 5.x and for the most part I think people try to support at least 4.x and 5.x at the moment, and often earlier versions as well. Tom -- Tom Hughes (tom(a)compton.nu) http://compton.nu/

When you went from 4.x -> 5.x the only stuff that appeared to need to be remixed was the binary archful rpms. P

Sounds like a job for rhscl :-) Denise > On Apr 26, 2016, at 10:01 PM, Stephen Gallagher <sgallagh(a)redhat.com&gt; wrote: > > OK folks, it's Bad Decision Time. > > Today, Node.js 6.0 was released. This is a significant ABI-breaking release, > which means there is no guarantee that existing modules will work with it at all.[1] > > Better still, Node.js 5.x is only going to be supported until sometime this > summer, because they're aiming for the 6.x branch to become the new LTS in > October[2]. This puts us in quite a bind. > > Fedora disallows major ABI changes in a stable release, so if Fedora 24 Final > ships with Node.js 5.x, we will be stuck with maintaining it until Fedora 24 EOL > (which is probably going to mean until approximately June 2017, or almost a full > year after upstream drops support). This means manually backporting any security > issues that come up without the benefit of a new version to rebase to and with > an increasing likelihood of the patches diverging from upstream. > > On the flip side, the major ABI break is hitting us post-Beta Freeze for Fedora > 24, which is a really terrible time to be switching to a new major version of a > language runtime (particularly since we don't actually know if any of the other > packages on the system will work with it at all). > > We don't have any particularly good options here. A downgrade back to 4.x (which > will be supported until at least April 2018, well past F24 EOL) would be very > difficult at this point, since node modules may have updated to newer, > incompatible versions. > > Furthermore, this came at a time where I was planning to write to the nodejs > list and let people know that due to my changing work responsibilities, I'm not > going to be able to be the primary maintainer of the main package any longer. > (I'd be able to swing the occasional minor- or point-release update, but > wrangling a major release won't be possible.) > > I realize this is inopportune, but it's best if we figure out *immediately* how > we're going to handle this. > > > Options: > 1) Downgrade back to 4.x, downgrading or dropping any modules in the collection > that don't run on that LTS version. > 2) Stick with 5.x for the life of Fedora 24, handling security backports > ourselves once it hits EOL this summer. > 3) Upgrade to 6.x, fixing or dropping any modules in the collection that don't > run on it yet. > > I'll stick around to help with this major effort (since it's partly my fault > we're in this mess; I didn't realize that the release schedule for 5.x was so > poorly aligned with Fedora 24), but after that I'm going to need someone else to > step up and handle the primary maintenance. > > > I don't like any of the choices, but I'm going to suggest that option 3) may be > our best choice if we can manage it; we will want to be doing the same work for > Fedora 25/Rawhide anyway, so it's not wasted effort. Also, a lot of the node > modules in Fedora are only there because originally we needed them as > dependencies for npm. Since we recently switched to carrying the embedded npm > (and its rat's-nest of dependencies) inside the main nodejs package, we can > probably get away with breakage in a lot of the modules in the collection. > > We may only need to focus in the short term on those packages that are required > by other parts of the Fedora Project (like nodejs-less, which is consumed in the > build process for many web apps). > > > Option 2) is the path of least resistance in the immediate short-term, but once > we run up against the upstream EOL, the maintenance burden could be prohibitive. > In theory, we could petition FESCo for permission to break ABI in the stable > release, but I wouldn't recommend it (and would probably be voting against it > were it to come from anywhere else; I'd abstain in this case due to conflict of > interest). Given that we know about the potential risk in advance, I doubt we'd > see much sympathy either. So we should realistically assume that if we choose > this option, someone is going to need to maintain the security backports (and it > will not be me, sorry). > > As for Option 1)? I think someone with more knowledge of the individual modules > in Fedora (Tom Hughes? Jared Smith?) would need to figure out how many modules > would be broken if we downgraded. If it's sufficiently small, I suppose we could > epoch-bump nodejs and its virtual npm Provides: and go that route. I don't love > that we will effectively been playing yo-yo with the version in F24, but it > would be a solution... > > > Thoughts, other ideas? Please skip the rotten fruit; I'm on a diet. > > > > [1] > https://github.com/nodejs/node/blob/master/CHANGELOG.md#2016-04-26-versio... > [2] https://github.com/nodejs/LTS#lts_schedule > > -- > devel mailing list > devel(a)lists.fedoraproject.org > http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

On Wed, Apr 27, 2016 at 8:54 AM, Josh Boyer <jwboyer(a)fedoraproject.org&gt; wrote: Would it be possible to try a nodejs 6.x build of everything in a side-tag or something? My understanding (based on the changelog) is that things should generally work, as while the ABI broke, most of the API remained the same. Personally, I'm not a fan of the idea of using SCLs to support newer environments in Fedora. I'd prefer if SCLs were used to support older ones, with newer ones being the default. -- 真実はいつも一つ！/ Always, there's only one truth!

On 04/27/2016 09:04 AM, Tom Hughes wrote: From https://github.com/nodejs/LTS#lts_schedule it looks like non-LTS branches are maintained for about 9 months, while LTS releases are maintained for 30 months. So you're probably right; going forward we should probably align Fedora with whichever branch is (or will become) the LTS branch for its entire lifetime. This still leaves us with a choice, because the 4.x branch is officially LTS and the 6.x branch will become LTS in October. (In the early phase of the branch, it won't break compatibility, but the set of features may grow; that gets locked in when it goes LTS).

On 04/27/2016 09:25 AM, Neal Gompa wrote: 14 packages is the set that would be required to rebuild for Node.js 4.x. I have no idea how much breakage would be involved with 6.x. You say "My understanding (based on the changelog) is that things should generally work, as while the ABI broke, most of the API remained the same.", but I see dozens of "SEMVER-MAJOR" commits, many of which are removing some API (a deprecated one in some cases, but I have no way of knowing which of our packages would be affected). As Tom mentioned, many of the npm modules in Fedora don't have working test suites either, so a rebuild succeeding might not mean anything at all about whether it would actually work. At this point, I'm probably going to fall on the side of downgrading to 4.x (which right now is scheduled to still be in maintenance mode for the entire life of F24). I don't think there's enough time left in the Fedora schedule to jump to 6.x without significant risk of breakage.

On 04/27/2016 02:20 PM, Matthew Miller wrote: Technically, the release up to the point where they become LTS is stable but not LTS (I don't know what exactly that means...). For Fedora, this basically means that we should be able to land the newest version in April and it will be API-compatible for that whole time and locked down in October. So that should be as safe as we can realistically make it. Not a bad idea. As it is, I think I've come to the conclusion that Fedora will drop back to the 4.x LTS for Fedora 24. Unless I hear some really compelling new information by tomorrow morning, I'll work on that tomorrow.

On Wed, Apr 27, 2016 at 1:54 PM, Josh Boyer <jwboyer(a)fedoraproject.org&gt; wrote: Versioning maybe but not the "we're going to be shipping a major version of nodejs that will be EOL half way through the F-24 cycle" problem. Whether it's SCL format or standard package format it would still be built against F-24 deps and we'd still have the issue here. Sure there could be 4.x and 6.x along side each other but we'd still have a EOL potentially vuln release hanging around. Peter

On 26 April 2016 at 22:00, Stephen Gallagher <sgallagh(a)redhat.com&gt; wrote: 4) Drop NodeJS from Fedora 24 altogether. If there isn't one already, have a nodejs team built of people who are interested in it and are committed to doing things like side builds and similar requirements. They can then have a plan on what nodejs work should be done and what plans they will align on. This would be similar to the perl/python and other groups.. and makes sure that when someone bows out it doesn't kill the entire stack until someone comes in to build the work again. -- Stephen J Smoogen.

On Wed, Apr 27, 2016 at 9:54 AM, Stephen John Smoogen <smooge(a)gmail.com&gt; wrote: That would be a pretty big regression considering it has been in Fedora for a while. The user experience of needing nodejs and then having to hunt for it after upgrade seems poor. I don't disagree having a nodejs team would be a good idea, but I think you're being a bit unfair to Stephen. He hasn't bowed out yet and even a well intentioned nodejs team could have made the same choices that led to this situation. josh

On 27 April 2016 at 10:15, Stephen Gallagher <sgallagh(a)redhat.com&gt; wrote: My apologies extend to Tom and Jared also. I did not do enough research before posting and I came across in a way I did not intend at all to any of you. -- Stephen J Smoogen.