Open Stack

Flavio Percoco wrote:
> On 04/05/17 11:18 -0400, Jonathan Proulx wrote:
>> On Thu, May 04, 2017 at 04:14:07PM +0200, Thierry Carrez wrote:
>> :I agree that our current stable branch model is inappropriate:
>> :maintaining stable branches for one year only is a bit useless. But I
>> :only see two outcomes:
>> :
>> :1/ The OpenStack community still thinks there is a lot of value in doing
>> :this work upstream, in which case organizations should invest resources
>> :in making that happen (starting with giving the Stable branch
>> :maintenance PTL a job), and then, yes, we should definitely consider
>> :things like LTS or longer periods of support for stable branches, to
>> :match the evolving usage of OpenStack.
>> :
>> :2/ The OpenStack community thinks this is better handled downstream, and
>> :we should just get rid of them completely. This is a valid approach, and
>> :a lot of other open source communities just do that.
>> :
>> :The current reality in terms of invested resources points to (2). I
>> :personally would prefer (1), because that lets us address security
>> :issues more efficiently and avoids duplicating effort downstream. But
>> :unfortunately I don't control where development resources are posted.
> 
> Have there been issues with downstream distros not addressing security
> fixes properly?

No, not at all -- but usually they package upstream vulnerability fixes,
which are produced on stable branches. In mode #2 we would only patch
master, forcing downstream to do backports for more branches. That is
what I meant by "more efficiently".

Sorry for being unclear.

-- 
Thierry Carrez (ttx)