Stable Release Updates types proposal (was Re: Fedora Board Meeting Recap 2010-03-11)

Juha Tuomala Juha.Tuomala at iki.fi
Fri Mar 12 20:05:18 UTC 2010 


On Fri, 12 Mar 2010, Matthew Garrett wrote:
>> RHEL  has  the resources to backport.  Centos uses those backpotrs for
>> free,  but does not generate them (unless again the party supporting a
>> component for Centos happens to be upstream in RHEL).
>
> Debian has historically managed this. I really don't buy the argument
> that security or other critical fixes are generally difficult to
> backport.

I thought that this is was reason why there is a package maintainer 
exists in the first place, to maintain the package (not the 
content):

- wraps software into rpm and pushes it to distro
- monitors new releases and makes updates
- *communicates* between fedora userspace and upstream

So in case fedora's users suffer from a security bug, the maintainer 
collects the facts (what version, how many users are affected, 
important details from bug reports and debugging information, etc), 
talks to upstream and if the security bug is not backported, (s)he 
asks upstream to do so. They probably has the best skills to do so.

I don't see how this wouldn't be everyone's interest, even from the 
upstream point of view. They most likely don't want such reputation 
that their software is dangerous to use.

Unless the maintainer has issues with communication and social 
skills, this could very well be a problem and not that far fetched.

I wonder, how many maintainers have even sent a short email to 
upstream and said:

"hello, thank you for coding this cool software with opensource 
license. I'm packaging it now to Fedora, please send me 
announcements etc and please don't hesitate to contact me if you 
have something in mind, I'm your contact at this end".

Frankly, if you ask me, I rather take all backporting done by 
someone who actually knows what he's doing. And same goes with 
packaging.

What comes to KDE's "there won't be anymore bugfix releases after 
new feature release" - so what? How many real security issues has 
there been in history? Five? Ten? I bet those all would be 
backported by upstream if community size of Fedora would really need 
them. Everyone who cannot wait those couple months, can do checkout 
and compile themselves.


Tuju

--
You want to throw out the baby with the bathwater! - K. Kofler
Your baby is my bathwater. I don't want the OS you're building. - J. Keating

More information about the devel mailing list