-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
I've been talking with Garrett (gholms) about the important vulnerability affecting eucalyptus. Turns out eucalyptus is crazy complex to package and the purpose for packaging euca has passed. He's going to orphan the packages and we'll likely be able to discontinue it in Fedora. This will affect three vulnerabilites (1 Important, 2 Mediums).
- -- Eric
- -------------------------------------------------- Eric "Sparks" Christensen Fedora Project
sparks@fedoraproject.org - sparks@redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------
On Thu, 31 Jul 2014 20:40:51 -0400 Eric H. Christensen wrote:
I've been talking with Garrett (gholms) about the important vulnerability affecting eucalyptus. Turns out eucalyptus is crazy complex to package and the purpose for packaging euca has passed. He's going to orphan the packages and we'll likely be able to discontinue it in Fedora. This will affect three vulnerabilites (1 Important, 2 Mediums).
Out of curiosity, what exactly do "discontinue" mean here? Retire it from released and still supported Fedora versions, or only from future (21+)? I know packages get removed from EPEL, I'm not sure if / how often that happens in Fedora.
Btw, the retirement process is documented here: https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life
Am 01.08.2014 um 22:08 schrieb Tomas Hoger:
On Thu, 31 Jul 2014 20:40:51 -0400 Eric H. Christensen wrote:
I've been talking with Garrett (gholms) about the important vulnerability affecting eucalyptus. Turns out eucalyptus is crazy complex to package and the purpose for packaging euca has passed. He's going to orphan the packages and we'll likely be able to discontinue it in Fedora. This will affect three vulnerabilites (1 Important, 2 Mediums).
Out of curiosity, what exactly do "discontinue" mean here? Retire it from released and still supported Fedora versions, or only from future (21+)? I know packages get removed from EPEL, I'm not sure if / how often that happens in Fedora
that's a critical question
* you can't remove them from released ISO's * normally there is a policy they can't be dropped
the real critical question in case of abandoned packages which stay unmaintained is does it a user typing "yum install" and get the impression it's maintained a favor or better not offer it in the repos so new users not start build infrastructure around it with no future and realize that later
On Sat, 02 Aug 2014 02:59:20 +0200 Reindl Harald wrote:
Out of curiosity, what exactly do "discontinue" mean here? Retire it from released and still supported Fedora versions, or only from future (21+)? I know packages get removed from EPEL, I'm not sure if / how often that happens in Fedora
...
- you can't remove them from released ISO's
There is actually a difference to EPEL I haven't realized before. Fedora uses separate release and updates repos, EPEL has single repository. I do not know how/if Fedora removals from the release repos are done.
the real critical question in case of abandoned packages which stay unmaintained is does it a user typing "yum install" and get the impression it's maintained a favor or better not offer it in the repos so new users not start build infrastructure around it with no future and realize that later
Removal of unmaintained packages is of benefit to users not using the component now who may try to yum install it in the future.
I believe more important question is if removal is sufficient "notification" to existing users. Arguably, it is better than keeping packages in repos and unmaintained...
Anyway, such removals seem much harder to defend in case of short life distribution like Fedora.
security-team@lists.fedoraproject.org