Date: Fri, 29 Sep 2000 19:31:43 -0700 (PDT) From: Doug Barton <DougB@gorean.org> To: Michael Bryan <fbsd-security@ursine.com> Cc: security@FreeBSD.ORG Subject: Re: Status of FreeBSD-SA-00:41.elf? Message-ID: <Pine.BSF.4.21.0009291924410.72839-100000@dt051n37.san.rr.com> In-Reply-To: <39D52FDF.2D08F04D@ursine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 29 Sep 2000, Michael Bryan wrote:
> "Brian F. Feldman" wrote:
>
> > I should say we would do well to stop "supporting" 3.X anymore and let
> > people know (a bit louder perhaps?) 3.5 is the end of the line for 3.X and
> > the proper solution is an upgrade to _4.X_. It's simply not very
> > interesting or useful to be supporting something that should be phased out
> > instead of "sorta upgraded" to the latest small increment of a quietly
> > dying line.
> At the very least, security fixes should be available for version N.x for a
> year or more after M.x comes out (M=N+1). If possible, even longer. Yes, I know
> that's a resource commitment, and as code diverges, it gets harder and harder to
> apply even just the security subset of changes back to older verions. I also know
> that with "Internet Time", and the frequent releases of FreeBSD, that means an ever
> increasing number of versions to support for security fixes. But if you cut that
> support time too short, a lot of commercial interests will be alienated, and will
> very likely say "Hmmm, they won't provide a security patch for the version we
> just rolled out five months ago, and instead we have to fully upgrade everybody?
> Maybe we want to go with some other solution instead."
This has been hashed over repeatedly, so we're not going to make
any landmark decisions here, but suffice it to say that in general the
"one year rule" towards supporting older releases has been the
semi-offical policy. Brian is being a tad overenthusiastic. Basically,
your points are well taken.
Please keep in mind though that this is really only the third
major version "rotation" that the project has done where there was a
significant number of non-developers who cared. We're still learning the
process. With the BSDi deal there are already more resources being
dedicated to and obtained for regression testing. In short, the process
will improve, meanwhile life goes on.
Doug (not speaking for the project, my employer, or anyone else for that
matter)
--
"The dead cannot be seduced."
- Kai, "Lexx"
Do YOU Yahoo!?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009291924410.72839-100000>