On Sun, Sep 24, 2017 at 2:48 PM, Nico Kadel-Garcia <nka...@gmail.com> wrote: > On Sat, Sep 23, 2017 at 3:52 PM, Keith Lofstrom <kei...@kl-ic.com> wrote: >> On Tue, Sep 19, 2017 at 11:47 PM, Bill Maidment <b...@maidment.me> wrote: >>> So much for security issue support for 10 years. Probably best to assume >>> only 7 years in real life. >> >> On Wed, Sep 20, 2017 at 07:24:25AM -0700, Akemi Yagi wrote: >>> Here's the description about "Production 3 phase": >>> "During the Production 3 Phase, Critical impact Security Advisories >>> (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be >>> released as they become available. Other errata advisories may be delivered >>> as appropriate." >>> So, yes, not all security updates are available once RHEL (therefore >>> Scientific Linux) goes into that phase. >> >> In a larger sense: how much work is it to semi-automate >> the process of backporting all these security fixes from >> SL6 and SL7 to earlier distros? > >> While SL7 follows what RedHat does (and rightly so), >> perhaps there are enough of us here (and using CentOS >> for similar reasons) to fork a "superstable" distro >> and pay a few people to support the fork.
Come to think of it, three examples of the difficulties come to mind. Subversion (for which I used to publish RPMs over at rpmforge), Samba, and htpd. Backporting Subversion was a pain: the individual patches were not compatible with obsolete versions of Subversion, and newer versions had considerable library update requirements, such as mod_svn (for a while), and later serf (which required a much newer version of serf). Samba.... requires a profoundly updated gnutls for current releases with current architectural support. It got much better when cifsutils became an independent package, but backporting features was not pretty. I worked with that for various Samba feature requirement easons. And httpd, oh dear lord, when Apache 1.x became httpd-2.x, *everything* became a dependency adventure, especially due to some very funky numbering and perl module dependency confusion for mod_ssl.