Re: [libvirt] retiring v0.9.6-maint
On 09/18/2014 05:15 PM, Eric Blake wrote: > On 09/18/2014 02:36 AM, Daniel P. Berrange wrote: >> On Wed, Sep 17, 2014 at 04:24:07PM -0600, Eric Blake wrote: >>> Any objections to retiring the v0.9.6-maint branch? After all, we have >>> already retired the v0.9.11-maint branch >>> (http://libvirt.org/git/?p=libvirt.git;a=commit;h=cd0d348ed), and the >>> only activity on v0.9.6-maint since 0.9.6.4 was released in January 2013 >>> was the backport of a single CVE fix. The branch no longer builds >>> cleanly on Fedora 20, and while I could identify patches to backport to >>> fix the build situation, it's not worth my time if we can just retire >>> the branch. >> >> FWIW, I'm not really a fan of deleting the branches. Is there any harm >> to just leaving it there idle ? > > The branches aren't deleted, per se, just a new commit added on top of > the branch that declares the intent. For example, all you see if you > check out v0.9.11-maint is this README file: > > http://libvirt.org/git/?p=libvirt.git;a=blob;f=README;h=68aeed1ae7d131661f2ba07eff1b4ae16ac4f3b8;hb=cd0d348ed > > The branch would still usable by checking out v0.9.11-maint^ as a > detached head, so the history is still there. All I'm proposing is > documenting that we aren't going to try and port security fixes to the > branch any longer, because no one appears to be actively using it. > I think we need to be clearer what and how is maintained on the website. The Security Process [1] states: > The libvirt community maintains one or more stable release branches at any > given point in time. The security team will aim to publish fixes for GIT > master (which will become the next major release) and each currently > maintained stable release branch. The distro maintainers will be > responsible for backporting the officially published fixes to other release > branches where applicable. But in practice, CVE fixes are pushed to all -maint branches, not just those with releases. http://libvirt.org/downloads.html mentions that supported -maint branches are considered during CVE analysis, but it's unclear on the definition of support. This paragraph about hourly snapshots: > These snapshots should be usable, but we make no guarantees about their > stability; furthermore, they should NOT be considered formal releases, and > they may have transient security problems that will not be assigned a CVE. may give the impressions that the CVEs are fixed in the maintenance releases, even when they're only backported on the branches. (The wiki [2] lists past maintenance releases, but no indication whether there will be more releases). Since stable releases were made out of 0.9.6, I think we should mention on the wiki/download page, that no more releases are going to be made and they are no longer supported (same for 0.9.11 and maybe 0.10.2 too?), in addition to/instead of deleting the content of the branch. (Also, maintaining 20 releases is IMHO a waste of time, personally I only backport my important fixes to the latest Fedora release where I know it will be picked up in the next release and the latest -maint branch. Does anyone use the -maint branches without maintenance releases? IIRC they were created for Gentoo, but it looks like all the current versions use the vanilla sources, with no backport from the maint branches [3]). Jan [3] http://packages.gentoo.org/package/app-emulation/libvirt [2] http://wiki.libvirt.org/page/Maintenance_Releases [1] http://libvirt.org/securityprocess.html signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] retiring v0.9.6-maint
On Wed, Sep 17, 2014 at 04:24:07PM -0600, Eric Blake wrote: > Any objections to retiring the v0.9.6-maint branch? After all, we have > already retired the v0.9.11-maint branch > (http://libvirt.org/git/?p=libvirt.git;a=commit;h=cd0d348ed), and the > only activity on v0.9.6-maint since 0.9.6.4 was released in January 2013 > was the backport of a single CVE fix. The branch no longer builds > cleanly on Fedora 20, and while I could identify patches to backport to > fix the build situation, it's not worth my time if we can just retire > the branch. Fine for me. Debian is tracking 0.9.12. Cheers, -- Guido -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] retiring v0.9.6-maint
On 09/18/2014 09:22 AM, Daniel P. Berrange wrote: > On Thu, Sep 18, 2014 at 09:15:10AM -0600, Eric Blake wrote: >> On 09/18/2014 02:36 AM, Daniel P. Berrange wrote: >>> On Wed, Sep 17, 2014 at 04:24:07PM -0600, Eric Blake wrote: Any objections to retiring the v0.9.6-maint branch? After all, we have already retired the v0.9.11-maint branch >> The branch would still usable by checking out v0.9.11-maint^ as a >> detached head, so the history is still there. All I'm proposing is >> documenting that we aren't going to try and port security fixes to the >> branch any longer, because no one appears to be actively using it. > > Ah, Ok, that seems fine. Done; v0.9.6-maint still exists, but with a README file documenting that we aren't going to backport any further fixes here. -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] retiring v0.9.6-maint
On Thu, Sep 18, 2014 at 09:15:10AM -0600, Eric Blake wrote: > On 09/18/2014 02:36 AM, Daniel P. Berrange wrote: > > On Wed, Sep 17, 2014 at 04:24:07PM -0600, Eric Blake wrote: > >> Any objections to retiring the v0.9.6-maint branch? After all, we have > >> already retired the v0.9.11-maint branch > >> (http://libvirt.org/git/?p=libvirt.git;a=commit;h=cd0d348ed), and the > >> only activity on v0.9.6-maint since 0.9.6.4 was released in January 2013 > >> was the backport of a single CVE fix. The branch no longer builds > >> cleanly on Fedora 20, and while I could identify patches to backport to > >> fix the build situation, it's not worth my time if we can just retire > >> the branch. > > > > FWIW, I'm not really a fan of deleting the branches. Is there any harm > > to just leaving it there idle ? > > The branches aren't deleted, per se, just a new commit added on top of > the branch that declares the intent. For example, all you see if you > check out v0.9.11-maint is this README file: > > http://libvirt.org/git/?p=libvirt.git;a=blob;f=README;h=68aeed1ae7d131661f2ba07eff1b4ae16ac4f3b8;hb=cd0d348ed > > The branch would still usable by checking out v0.9.11-maint^ as a > detached head, so the history is still there. All I'm proposing is > documenting that we aren't going to try and port security fixes to the > branch any longer, because no one appears to be actively using it. Ah, Ok, that seems fine. Regards, Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] retiring v0.9.6-maint
On 09/18/2014 02:36 AM, Daniel P. Berrange wrote: > On Wed, Sep 17, 2014 at 04:24:07PM -0600, Eric Blake wrote: >> Any objections to retiring the v0.9.6-maint branch? After all, we have >> already retired the v0.9.11-maint branch >> (http://libvirt.org/git/?p=libvirt.git;a=commit;h=cd0d348ed), and the >> only activity on v0.9.6-maint since 0.9.6.4 was released in January 2013 >> was the backport of a single CVE fix. The branch no longer builds >> cleanly on Fedora 20, and while I could identify patches to backport to >> fix the build situation, it's not worth my time if we can just retire >> the branch. > > FWIW, I'm not really a fan of deleting the branches. Is there any harm > to just leaving it there idle ? The branches aren't deleted, per se, just a new commit added on top of the branch that declares the intent. For example, all you see if you check out v0.9.11-maint is this README file: http://libvirt.org/git/?p=libvirt.git;a=blob;f=README;h=68aeed1ae7d131661f2ba07eff1b4ae16ac4f3b8;hb=cd0d348ed The branch would still usable by checking out v0.9.11-maint^ as a detached head, so the history is still there. All I'm proposing is documenting that we aren't going to try and port security fixes to the branch any longer, because no one appears to be actively using it. -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] retiring v0.9.6-maint
On Wed, Sep 17, 2014 at 04:24:07PM -0600, Eric Blake wrote: > Any objections to retiring the v0.9.6-maint branch? After all, we have > already retired the v0.9.11-maint branch > (http://libvirt.org/git/?p=libvirt.git;a=commit;h=cd0d348ed), and the > only activity on v0.9.6-maint since 0.9.6.4 was released in January 2013 > was the backport of a single CVE fix. The branch no longer builds > cleanly on Fedora 20, and while I could identify patches to backport to > fix the build situation, it's not worth my time if we can just retire > the branch. FWIW, I'm not really a fan of deleting the branches. Is there any harm to just leaving it there idle ? Regards, Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] retiring v0.9.6-maint
Any objections to retiring the v0.9.6-maint branch? After all, we have already retired the v0.9.11-maint branch (http://libvirt.org/git/?p=libvirt.git;a=commit;h=cd0d348ed), and the only activity on v0.9.6-maint since 0.9.6.4 was released in January 2013 was the backport of a single CVE fix. The branch no longer builds cleanly on Fedora 20, and while I could identify patches to backport to fix the build situation, it's not worth my time if we can just retire the branch. -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
