Stable Release Updates types proposal (was Re: Fedora Board Meeting Recap 2010-03-11)

[Al Dunsmuir]

| Accidently sent off-list.  Resent.

On Friday, March 12, 2010, 3:05:18 PM, Tuju wrote:
> On Fri, 12 Mar 2010, Matthew Garrett wrote:
>>> RHEL  has  the resources to backport.  Centos uses those backpotrs for
>>> free,  but does not generate them (unless again the party supporting a
>>> component for Centos happens to be upstream in RHEL).
>>
>> Debian has historically managed this. I really don't buy the argument
>> that security or other critical fixes are generally difficult to
>> backport.

> I thought that this is was reason why there is a package maintainer 
> exists in the first place, to maintain the package (not the 
> content):

In  the  likely  event  that  package maintainer is a volunteer, again
there  may be limited (or no resources/time to backport).  It may have
to  wait  a few weeks due to real life issues (kids, spouse, pets, day
job).

> So in case fedora's users suffer from a security bug, the maintainer 
> collects the facts (what version, how many users are affected, 
> important details from bug reports and debugging information, etc), 
> talks to upstream and if the security bug is not backported, (s)he 
> asks upstream to do so. They probably has the best skills to do so.

In  the  likely  event  that upstream is also a volunteer (and perhaps
one  and  the  same person as the package maintainer), the same issues
will arise.

> I don't see how this wouldn't be everyone's interest, even from the 
> upstream point of view. They most likely don't want such reputation 
> that their software is dangerous to use.

These  folks  are  not  running  a  24/7 business staffed with trained
resources  sitting  idle  (paid  for by licence fees) waiting for your
problem  reports.  I  was  with  IBM for 23 years (shop floor control,
debuggers,  compilers) and most non-OS software problems were addressed
by the developers during regular office hours and perhaps weekends.

Anyone  who  thinks  that  free  software should have an instantaneous
turnaround   for   free support isn't being realistic.  The developers
may even want to provide that... but that is not reality.

> Unless the maintainer has issues with communication and social 
> skills, this could very well be a problem and not that far fetched.

> I wonder, how many maintainers have even sent a short email to 
> upstream and said:

> "hello, thank you for coding this cool software with opensource 
> license. I'm packaging it now to Fedora, please send me 
> announcements etc and please don't hesitate to contact me if you 
> have something in mind, I'm your contact at this end".

> Frankly, if you ask me, I rather take all backporting done by 
> someone who actually knows what he's doing. And same goes with 
> packaging.

I think we're in "I want a pony" territory.

> What comes to KDE's "there won't be anymore bugfix releases after 
> new feature release" - so what? How many real security issues has 
> there been in history? Five? Ten? I bet those all would be 
> backported by upstream if community size of Fedora would really need 
> them. Everyone who cannot wait those couple months, can do checkout 
> and compile themselves.
> Tuju

When  was  the  last time you tried to build all of KDE?  As much as I
may disagree with Kevin on some points, what he does is nontrivial.