[Openstack-operators] [openstack-dev] [stable][all] Keeping Juno "alive" for longer.
Tom.Cameron at rackspace.com
Mon Nov 9 17:11:35 UTC 2015
> What about risk-averse organizations with strict policy compliance guidelines?
I strongly suspect most operators don't have customers (internal or otherwise) clamouring to upgrade every 6 months. But 5 years is, frankly, absurd. But, to the point about auditing, many organizations that have requirements around the auditing of software as relates to regulations (this is a pretty small set of users). Many of them can rely on external audits of software, so perhaps this would be an opportunity for the Openstack foundation to have long-term supported releases audited?
> If we’re only talking about patches to support minor updates to system packages what’s the cost to the community?
Minor patches to distribution supplied packages isn't the actual problem, though there is some cost to the community in making sure that the minor updates (we're talking only security patches here at some point) doesn't break some depending component within Openstack. That should be a rare problem, but I could see something like an OpenSSL vulnerability found in TLS1.x requiring a fix like disabling TLS1.x, which would break a python library that doesn't yet support anything >TLS1.x. Sometimes these fixes get very cumbersome to carry forward for half a decade.
The real cost, though, is in the Openstack foundation and the community developers maintaining the actual release of the Openstack software components. At some point in 5 years, your pool of experts on that version of the software dwindles rapidly. Because most of the development is done by groups pushing the leading edge, the trailing tail gets less and less attention until nobody's working on it at all. Obviously that isn't the case for Juno right now, but in 5 years time, I can't imagine any volunteer wanting to support a very outdated, infrequently used version of an open source project.
Anyway, I suspect we're in violent agreement here. I support an LTS release strategy because it will allow more adoption for more sectors by offering that stability everyone's talking about. But, it shouldn't be a super-super long support offering. Maybe steal some of Ubuntu's game and do an LTS every 4 releases or so (24 months), but then maybe Openstack only supports them for 24 months time? Again, my concern is that this is free, open source software and you're probably not going to get many community members to volunteer to offer their precious time fixing bugs in a 2-year-old codebase that have been fixed for 18 months in a newer version. Sometimes backporting those fixes is more difficult than the actual fix itself, which makes the offer even less appealing.
It's good to see the discussion, though!
From: James King <j.kenneth.king at gmail.com> on behalf of James King <james at agentultra.com>
Sent: Monday, November 9, 2015 11:47
To: Tom Cameron
Cc: OpenStack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] [openstack-dev] [stable][all] Keeping Juno "alive" for longer.
disclaimer: I’ve never worked in a software auditing department or on in a company with one
What about risk-averse organizations with strict policy compliance guidelines? Can we expect them to audit a new distribution of Openstack every 6 months? Some sort of community-supported LTS system would at least give these consulting firms a base on which to build such a compliant Openstack distribution for industry X.
If we’re only talking about patches to support minor updates to system packages what’s the cost to the community?
I’m not against Tom’s idea and would be satisfied with it but it would be better, I think, to at least give the community an option of a solid base on which to build a compliant Openstack distribution that isn’t going to move out from underneath them in six months.
Unless of course that should be the job of some distribution maintainer… in which case how to we work with them?
> On Nov 9, 2015, at 10:50 AM, Tom Cameron <Tom.Cameron at rackspace.com> wrote:
> On a personal level, supporting the same release of an open source project for 5 years is something you should pay for...dearly. If operators have customers that are pinned to Juno for some reason I couldn't imagine right now, and they're willing to pay us to support it, then great!
> But I think we need to very tightly scope what support means- Absolutely no back or forward porting. The features you have now are frozen in time. Also, they need to be tightly pinned to the OS distro repo versions of packages so we don't have to care about fixing critical vulns in stuff we don't maintain and can't control. This basically means they'll be paying us to make sure they can upgrade distro packages for security reasons and that OpenStack will keep functioning, and to file & patch upstream OpenStack bugs.
> Effectively this means they're settling for less value for their money if they remain on Juno for the full 5 years, whereas customers using newer versions of operators' OpenStack offerings will be getting new development and features for the same support dollars (which is a good way to market new versions to them, BTW).
> My $0.02
> Tom Cameron
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
More information about the OpenStack-operators