[openstack-dev] [openstack-announce] End of life for managed stable/icehouse branches

Thierry Carrez thierry at openstack.org
Wed Jul 15 10:05:04 UTC 2015

Thomas Goirand wrote:
> On 07/14/2015 10:29 AM, Ihar Hrachyshka wrote:
>> On 07/14/2015 12:33 AM, Thomas Goirand wrote:
>>> Effectively, under these conditions, I am giving up doing any kind
>>> of coordination between distros for security patches of Icehouse.
>>> :(
>> As far as I know, there was no real coordination on those patches
>> before, neither I saw any real steps from any side to get it up.
> Well... as far as I know, you were not there during the conversations we
> had at the summits about this. Neither you are on my list of Icehouse
> security persons. So I fail to see how you could be in the loop for this
> indeed.

Ihar was the Icehouse stable branch champion, so he witnessed first hand
the *complete* lack of interest and resources being invested to maintain
stable branches longer upstream. He is been the only one keeping
stable/icehouse vaguely functional over the last year.

The fact that this mysterious "Icehouse security persons" group was
completely disconnected from the only person keeping that branch usable
is... quite telling.

> [...]
>> I am tired to say that again and again, but there should be some
>> resource investment from interested parties, upfront, before infra
>> takes part of the burden on their shoulders. Asking won't help.
> How do you expect to see anything happening before Icehouse effectively
> gets EOL? By the way, I haven't asked anything but *not* doing
> something. I don't see how much "burden" I'm putting on infra here.

The "cost" of keeping stable branches around without CI is more a
branding cost than a technical cost, I think. An OpenStack upstream
stable branch means a number of things, and lack of CI isn't one of
them. We also have tooling that looks at "stable/*" and applies rules to
it. If we have kept stable/icehouse upstream, it would have been renamed
no-more-tested/icehouse or something to make sure we don't call two
completely different things under the same name.

If a team decides to work upstream on longer-term branches, then I could
totally consider them back in the upstream git repo (under a different
name than "stable/*"). But given that I've been asking and failing to
get more resources for stable branches over the last 4 years, I'll
believe it when I see it.

It feels like you're (or were) mostly after a private zone to share
icehouse security patches outside of all OpenStack CI. I'm not sure why
that should live in OpenStack, where anything private is painful, and
where CI is pretty much our defining characteristic.

Thierry Carrez (ttx)

More information about the OpenStack-dev mailing list