On 09/18/2014 05:15 PM, Eric Blake wrote:
On 09/18/2014 02:36 AM, Daniel P. Berrange wrote:
> On Wed, Sep 17, 2014 at 04:24:07PM -0600, Eric Blake wrote:
>> Any objections to retiring the v0.9.6-maint branch? After all, we have
>> already retired the v0.9.11-maint branch
>> (
http://libvirt.org/git/?p=libvirt.git;a=commit;h=cd0d348ed), and the
>> only activity on v0.9.6-maint since 0.9.6.4 was released in January 2013
>> was the backport of a single CVE fix. The branch no longer builds
>> cleanly on Fedora 20, and while I could identify patches to backport to
>> fix the build situation, it's not worth my time if we can just retire
>> the branch.
>
> FWIW, I'm not really a fan of deleting the branches. Is there any harm
> to just leaving it there idle ?
The branches aren't deleted, per se, just a new commit added on top of
the branch that declares the intent. For example, all you see if you
check out v0.9.11-maint is this README file:
http://libvirt.org/git/?p=libvirt.git;a=blob;f=README;h=68aeed1ae7d131661...
The branch would still usable by checking out v0.9.11-maint^ as a
detached head, so the history is still there. All I'm proposing is
documenting that we aren't going to try and port security fixes to the
branch any longer, because no one appears to be actively using it.
I think we need to be clearer what and how is maintained on the website.
The Security Process [1] states:
The libvirt community maintains one or more stable release branches
at any
given point in time. The security team will aim to publish fixes for GIT
master (which will become the next major release) and each currently
maintained stable release branch. The distro maintainers will be
responsible for backporting the officially published fixes to other release
branches where applicable.
But in practice, CVE fixes are pushed to all -maint branches, not just those
with releases.
http://libvirt.org/downloads.html mentions that supported -maint branches are
considered during CVE analysis, but it's unclear on the definition of support.
This paragraph about hourly snapshots:
These snapshots should be usable, but we make no guarantees about
their
stability; furthermore, they should NOT be considered formal releases, and
they may have transient security problems that will not be assigned a CVE.
may give the impressions that the CVEs are fixed in the maintenance releases,
even when they're only backported on the branches.
(The wiki [2] lists past maintenance releases, but no indication whether there
will be more releases).
Since stable releases were made out of 0.9.6, I think we should mention on the
wiki/download page, that no more releases are going to be made and they are no
longer supported (same for 0.9.11 and maybe 0.10.2 too?), in addition
to/instead of deleting the content of the branch.
(Also, maintaining 20 releases is IMHO a waste of time, personally I only
backport my important fixes to the latest Fedora release where I know it will
be picked up in the next release and the latest -maint branch. Does anyone use
the -maint branches without maintenance releases? IIRC they were created for
Gentoo, but it looks like all the current versions use the vanilla sources,
with no backport from the maint branches [3]).
Jan
[3]
http://packages.gentoo.org/package/app-emulation/libvirt
[2]
http://wiki.libvirt.org/page/Maintenance_Releases
[1]
http://libvirt.org/securityprocess.html