[openstack-dev] [all] Switching to longer development cycles

Thomas Goirand zigo at debian.org
Sat Dec 16 00:15:40 UTC 2017

On 12/15/2017 05:52 PM, Matt Riedemann wrote:
> On 12/15/2017 9:15 AM, Thomas Goirand wrote:
>> Not only that. Everyone is lagging a few release behind, and currently,
>> upstream OpenStack don't care backporting to older releases.
> Can you clarify this please? The nova team is definitely backporting
> fixes to pike, ocata and newton. Newton isn't EOL yet *because* nova has
> held it up backporting fixes that we think are important enough to get
> in there before we EOL the branch.

I very much appreciate what has been done with the CVE fixes. Thanks a
lot for this, especially that it looked quite tricky and a way above the
level of patch I could backport by myself in a safe way.

> If you're talking about LTS, that's a different story, but please don't
> say upstream OpenStack doesn't care about backporting fixes. That might
> be a per-project statement, but in general it's untrue.

After re-reading myself, I noticed that it could be read in a variety of
ways. Sorry for this that's typical from me, maybe because I'm not a
native English speaker. :(

Let me attempt to correct myself.

First, it wasn't "upstream don't care about anyone, upstream is bad". It
was more: upstream currently doesn't have in place support so it can
care for a long enough time for its security bugfixes to be relevant to

More in details:

Upstream distributions are all advertising for 5 years support. For my
own case, and considering the last Debian release, Newton was out a year
ago, a bit before Debian Stretch freeze. Stretch was then released on
the 17th of June, while Newton was officially EOL on the 11th of
October. This means that, officially, Debian received 4 months of
official support during the lifetime of its release, which is supposed
to be at least 3 years, and preferably 5 (if we account the LTS effort).
So even without talking about OpenStack LTS, I hope everyone understand
that for me & Debian, the *official* security support is as good as
inexistant when dealing with Debian Stable.

Lucky, as always within this awesome OpenStack community, mostly
everyone from individual projects has been super helpful and helped when
I asked. However, even with very nice people, this helpfulness has
limits, and an official longer support would definitively help.

Anyway, all this was to say: I'm convinced that releasing less often
will help. I don't think backporting from master to Pike, Ocata and
Newton has so much value, but it's a lot of effort upstream. And in
Debian's case, Ocata backport wasn't needed. Even if we're not talking
about LTS, I'm sure having half the number of backports may help extend
the life of stable releases.

I hope it's clearer this time,

Thomas Goirand (zigo)

More information about the OpenStack-dev mailing list