Reduce number of supported branches? #5352
Comments
|
Or, we could consider having a policy like this:
|
We have too many branches and too few maintainers to be able to treat old-stable branches as fully supported. Helps: flatpak#5352 Signed-off-by: Simon McVittie <[email protected]>
We have too many branches and too few maintainers to be able to treat old-stable branches as fully supported. Helps: #5352 Signed-off-by: Simon McVittie <[email protected]>
|
I am working on rebasing the Flatpak stack in CentOS Stream 8 to |
We have too many branches and too few maintainers to be able to treat old-stable branches as fully supported. Helps: flatpak#5352 Signed-off-by: Simon McVittie <[email protected]> (cherry picked from commit 3198321)
|
Makes sense. If you have enterprise distros using very old versions of flatpak, I would expect them to have security teams who can backport fixes. In best case even upstream their backports. |
|
What I say in dbus is: I maintain the current development branch, the current stable branch, and sometimes one older stable branch (but only because I happen to need it with my Debian hat on); and if maintainers of LTS/enterprise distros want to collaborate on backported patches for EOL stable branches, they are invited to join the maintainer team and push their backported fixes to the appropriate (Nobody has actually taken me up on that offer in practice, but the offer remains open.) I think that's a reasonable policy to have in other projects like flatpak. |
It reminds me that I have a few pull requests waiting for backports that could be upstreamed:
There's also this one, but I forgot that it's waiting for me: #4932 |
We have too many branches and too few maintainers to be able to treat old-stable branches as fully supported. Helps: #5352 Signed-off-by: Simon McVittie <[email protected]> (cherry picked from commit 3198321)
Checklist
Suggestion
At the moment, fixing a security vulnerability or other serious bug in Flatpak would require doing 4 releases (1.15.x, 1.14.x, 1.12.x, 1.10.x). That's a lot of compiling and testing, particularly if it has to be done under embargo for a security fix, and the maintainers' time is limited (I'm responsible for a lot of other projects, and I'm sure the same is true for the other maintainers).
I think we should reduce the number of supported branches to 2 or maybe 3 (1.15.x, 1.14.x and maybe 1.12.x). Next time there is a security issue that affects 1.12.x and 1.10.x, we should still do a release on those branches, but we should also announce that it is likely to be the last release on those branches.
1.12.x is in RHEL 9, and its derivatives like CentOS. It's also the version in Ubuntu 22.04 'jammy', but Ubuntu doesn't normally take our stable releases anyway: if there's a security vulnerability, then Ubuntu usually backports individual patches instead of using an upstream release (which is more likely to introduce unfixed regressions, but that's their choice). Does RHEL similarly backport changes, or does RHEL follow our (old)stable release series?
Are there other LTS distributions that particularly care about 1.12.x? If I understand correctly, EndlessOS is still on 1.12.x, but they already have significant backported changes?
1.10.x is there to support Debian 11 and the RHEL 8 family, but I think we might have reached a point where backporting individual patches into those is more realistic than doing a new upstream release for their benefit?
The text was updated successfully, but these errors were encountered: