On 01/23/2014 12:26 PM, Daniel P. Berrange wrote:
On Wed, Jan 22, 2014 at 12:13:48PM -0700, Eric Blake wrote:
On 01/15/2014 01:43 PM, Eric Blake wrote:
Is anyone still using v0.9.11-maint? The CVE extends back to 0.9.8, so we could argue that we should either fix the 0.9.11 branch, or add another commit to the branch that explicitly marks it as end-of-life because no one appears to be relying on it. Fedora 18 is now end-of-life, so from Fedora's perspective, I only care about 0.10.2 (RHEL and CentOS 6), 1.0.5 (F19), 1.1.3 (F20) and soon 1.2.1 (rawhide), although I didn't mind touching all the intermediate branches on my way down to 0.10.2. RHEL 5 is also vulnerable to CVE-2013-6458, but as we don't have an upstream v0.8.2-maint branch (thank goodness!), that's something for Red Hat to worry about. I've gone ahead and marked v0.8.3-maint and v0.9.11-maint as closed (I'm not posting the actual patch here, but it was done by 'git rm -f \*' followed by recreating .gitignore and a placeholder README that mentions the death of the branch). FYI for openstack I examined the current libvirt versions in some major distros:
After seeing that list, I thought an "end of life" column could be interesing, but then realized the only bit I was interested in was how long we will need to put of with the oldest version on the list. As far as I can tell, Ubuntu 12.04 LTS is scheduled for EOL in April 2017 (date from here: https://wiki.ubuntu.com/Releases ), so I guess *somebody* has to care about libvirt-0.9.8 until 2017 (of course we don't have a v0.9.8-maint branch anyway, so that's not likely going to happen within upstream infrastructure)