[openstack-dev] [openstack-announce] End of life for managed stable/icehouse branches

Thomas Goirand zigo at debian.org
Tue Jul 14 19:08:50 UTC 2015

On 07/14/2015 03:55 AM, Jeremy Stanley wrote:
> On 2015-07-14 00:33:52 +0200 (+0200), Thomas Goirand wrote:
> [...]
>> I believe I asked you about 10 times to keep these branches alive, so
>> that distributions could work together on a longer support, even without
>> a CI behind it.
> And the project consensus has seemed to disagree with this after
> careful discussion, each time it's brought up. Distributions
> collaborating upstream on stable branch support would entail helping
> keep those branches tested upstream. As a project we've consistently
> stated that publishing updates to stable branches without sufficient
> testing is an affront to our quality assurance stance. The final
> state of the upstream stable/icehouse branch, as with each previous
> stable branch all the way back to stable/diablo, is tagged in the
> repository so that you can construct your own continuation of
> stable/icehouse from the same point as needed.
>> I have also asked for a private gerrit for maintaining the Icehouse
>> patches after EOL.
> [...]
> I do apologize for not setting up a separate private Gerrit instance
> for embargoed security fix code reviewing. It would be a help to me
> and the rest of the VMT to have it, I simply haven't had the
> available time I'd hoped to be able to work out remaining
> implementation details for deploying and maintaining it. That said,
> its priority has decreased as the VMT is trying to get a little more
> cautious about only embargoing vulnerability reports that actually
> benefit enough from a brief advance notice to downstream
> stakeholders to offset the significant cost in efficiency of the
> embargo process (only a small amount of which is due to the tools we
> end up using for private code review).
> However, as I explained to you at the Liberty Design Summit after
> discussion with members of the infrastructure team, we're also not
> comfortable maintaining stable branches of projects in a private
> Gerrit instance any longer than we do in the normal public one, and
> would want to remove inactive branches from it at the same time
> their public counterparts reach end of life.
> Since I feel like I'm starting to repeat myself at this point, I'll
> leave it to others to continue the thread this time. If you're
> interested in overhauling the stable branch EOL process (I didn't
> design and plan it, I merely pull the levers and push the buttons),
> that discussion should involve the stable branch release managers
> and the rest of the release team along with the quality assurance
> team.


I'm very disappointed, because this isn't at all what I've been told
during each and every summit since the release of Icehouse.

The conversations we had during all summits were all about you (and
others) saying that it was really ok to not destroy the branches. Never
you raised your concern about any issue, and I was counting on this to
organize security support for Icehouse for embargoed issues.

While I do understand that you didn't have time for this private gerrit,
I don't get why it's not ok to just leave the branch open, without the
CI (you could rename the branch if you didn't want to show any blessing
from the project).

Now, since the upstream OpenStack doesn't offer any help for Icehouse
which absolutely *all* downstream distributions offer LTS support, we're
back to what I feared from the start: chaos and no serious coordination
possible between distros, unless we do absolutely everything by
ourselves (including the infrastructure to host a gerrit and share
patches). I will *not* have the time to do this.

I just hope individual project members will help doing some of the
backport work.


Thomas Goirand (zigo)

More information about the OpenStack-dev mailing list