On 12/15/2017 05:52 PM, Matt Riedemann wrote: > On 12/15/2017 9:15 AM, Thomas Goirand wrote: >> Not only that. Everyone is lagging a few release behind, and currently, >> upstream OpenStack don't care backporting to older releases. > > Can you clarify this please? The nova team is definitely backporting > fixes to pike, ocata and newton. Newton isn't EOL yet *because* nova has > held it up backporting fixes that we think are important enough to get > in there before we EOL the branch.
I very much appreciate what has been done with the CVE fixes. Thanks a lot for this, especially that it looked quite tricky and a way above the level of patch I could backport by myself in a safe way. > If you're talking about LTS, that's a different story, but please don't > say upstream OpenStack doesn't care about backporting fixes. That might > be a per-project statement, but in general it's untrue. After re-reading myself, I noticed that it could be read in a variety of ways. Sorry for this that's typical from me, maybe because I'm not a native English speaker. :( Let me attempt to correct myself. First, it wasn't "upstream don't care about anyone, upstream is bad". It was more: upstream currently doesn't have in place support so it can care for a long enough time for its security bugfixes to be relevant to distros. More in details: Upstream distributions are all advertising for 5 years support. For my own case, and considering the last Debian release, Newton was out a year ago, a bit before Debian Stretch freeze. Stretch was then released on the 17th of June, while Newton was officially EOL on the 11th of October. This means that, officially, Debian received 4 months of official support during the lifetime of its release, which is supposed to be at least 3 years, and preferably 5 (if we account the LTS effort). So even without talking about OpenStack LTS, I hope everyone understand that for me & Debian, the *official* security support is as good as inexistant when dealing with Debian Stable. Lucky, as always within this awesome OpenStack community, mostly everyone from individual projects has been super helpful and helped when I asked. However, even with very nice people, this helpfulness has limits, and an official longer support would definitively help. Anyway, all this was to say: I'm convinced that releasing less often will help. I don't think backporting from master to Pike, Ocata and Newton has so much value, but it's a lot of effort upstream. And in Debian's case, Ocata backport wasn't needed. Even if we're not talking about LTS, I'm sure having half the number of backports may help extend the life of stable releases. I hope it's clearer this time, Cheers, Thomas Goirand (zigo) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev