Discussion:
Openssl updates
Russ Lavoie
2006-11-17 16:49:28 UTC
Permalink
I have noticed that Openssl has not been updated for FC4 even though
there is a security vulnerability.



http://www.openssl.org/news/secadv_20060928.txt



The most current version I can find for FC4 is 0.9.7l



Where can I find this new rpm?



Russ
Donald Maner
2006-11-17 17:00:13 UTC
Permalink
New RPMs are in the QA process right now. You're welcome to download the SRPM that has been created for FC4, compile it, test it, and report on your test.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209116

________________________________

From: fedora-legacy-list-***@redhat.com on behalf of Russ Lavoie
Sent: Fri 11/17/2006 10:49 AM
To: fedora-legacy-***@redhat.com
Subject: Openssl updates



I have noticed that Openssl has not been updated for FC4 even though there is a security vulnerability.



http://www.openssl.org/news/secadv_20060928.txt



The most current version I can find for FC4 is 0.9.7l



Where can I find this new rpm?



Russ
Florian La Roche
2006-11-18 09:20:11 UTC
Permalink
Post by Russ Lavoie
I have noticed that Openssl has not been updated for FC4 even though
there is a security vulnerability.
http://www.openssl.org/news/secadv_20060928.txt
The most current version I can find for FC4 is 0.9.7l
Where can I find this new rpm?
Interest in Fedora Legacy has slowed down. You can find some
FC4 updates at http://www.jur-linux.org/rpms/fc-updates/4/ ,
but some updates will probably also soon show up at
http://fedoralegacy.org/

regards,

Florian La Roche
Matthew Miller
2006-11-18 14:09:22 UTC
Permalink
Post by Florian La Roche
Interest in Fedora Legacy has slowed down. You can find some
FC4 updates at http://www.jur-linux.org/rpms/fc-updates/4/ ,
but some updates will probably also soon show up at
http://fedoralegacy.org/
Is anyone actively working on the open OpenSSL bug at this point?
--
Matthew Miller ***@mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Donald Maner
2006-11-18 16:35:42 UTC
Permalink
I needs some source QA, then to be built. The SRPMs have been made and
posted to bugzilla.

-----Original Message-----
From: fedora-legacy-list-***@redhat.com
[mailto:fedora-legacy-list-***@redhat.com] On Behalf Of Matthew
Miller
Sent: Saturday, November 18, 2006 8:09 AM
To: Discussion of the Fedora Legacy Project
Subject: Re: Openssl updates
Post by Florian La Roche
Interest in Fedora Legacy has slowed down. You can find some
FC4 updates at http://www.jur-linux.org/rpms/fc-updates/4/ ,
but some updates will probably also soon show up at
http://fedoralegacy.org/
Is anyone actively working on the open OpenSSL bug at this point?
--
Matthew Miller ***@mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Benjamin Smith
2006-11-19 16:20:45 UTC
Permalink
Post by Florian La Roche
Interest in Fedora Legacy has slowed down. You can find some
FC4 updates at http://www.jur-linux.org/rpms/fc-updates/4/ ,
but some updates will probably also soon show up at
http://fedoralegacy.org/
I can see why this would be the case. I don't want to knock your efforts in
any way (very much appreciated!) but the truth is that FL exists to extend
the short shelf-life of Fedora. And anything that demands a longer shelf-life
I've moved over to CentOS or RHEL. I have but one remaining machine using
Fedora as a server (running FC1, in a fairly protected environment) that will
be upgraded to CentOS 5 once it's released.

FL was more or less born when those who started using Fedora to replace RHL on
the servers were bitten by Fedora's short lifespan. (myself included) Even
with FL's efforts, the life expectancy is still on the short side... I
currently plan against using Fedora in any long-term environment where FL
would even be needed... and I'm sure I'm not unique in that!

-Ben
--
"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978
David Eisenstein
2006-11-29 19:26:12 UTC
Permalink
Post by Benjamin Smith
Post by Florian La Roche
Interest in Fedora Legacy has slowed down. You can find some
FC4 updates at http://www.jur-linux.org/rpms/fc-updates/4/ ,
but some updates will probably also soon show up at
http://fedoralegacy.org/
I can see why this would be the case. I don't want to knock your efforts in
any way (very much appreciated!) but the truth is that FL exists to extend
the short shelf-life of Fedora. And anything that demands a longer shelf-life
I've moved over to CentOS or RHEL. I have but one remaining machine using
Fedora as a server (running FC1, in a fairly protected environment) that will
be upgraded to CentOS 5 once it's released.
FL was more or less born when those who started using Fedora to replace RHL on
the servers were bitten by Fedora's short lifespan. (myself included) Even
with FL's efforts, the life expectancy is still on the short side... I
currently plan against using Fedora in any long-term environment where FL
would even be needed... and I'm sure I'm not unique in that!
-Ben
Quite understandable, Ben. And this is why I am looking into stepping down
from continuing being a Fedora Legacy maintainer/builder. Neither me, nor
Jesse Keating, nor Marc Deslauriers nor any of the others can do this alone.
It is just too much work for too little reward and too many headaches for
those who care.

If there were a magic wand I could wave . . . . but I don't have the acumen
or skill to compel folks to be contributors nor the patience to more clearly
document the processes that we use (and that I learned how they work just by
doing them and making many, many mistakes). When people don't step up, this
is what happens.

I wish I could do more. But really, I don't know that that wish is
realistic. Does anyone else wish more could be done? Or do we just kill the
project?

Warm regards,

David Eisenstein
Matthew Miller
2006-11-29 19:29:28 UTC
Permalink
Post by David Eisenstein
I wish I could do more. But really, I don't know that that wish is
realistic. Does anyone else wish more could be done? Or do we just kill the
project?
Well, as I've said, I wish more could be done, but I can't really do it. I
think the best thing is to officially hang up the "Closed" sign as soon as
possible. If, later, there's interest in extending the lifespan of a
particular release, we can revisit.
--
Matthew Miller ***@mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Axel Thimm
2006-11-30 02:33:59 UTC
Permalink
Post by Matthew Miller
Post by David Eisenstein
I wish I could do more. But really, I don't know that that wish is
realistic. Does anyone else wish more could be done? Or do we just kill the
project?
Well, as I've said, I wish more could be done, but I can't really do it. I
think the best thing is to officially hang up the "Closed" sign as soon as
possible. If, later, there's interest in extending the lifespan of a
particular release, we can revisit.
I would rephrase it in a positive way: Legacy is merged with Core and
Extras under one umbrella redefining EOL time marks. E.g. there is a
shorter total lifespan, but during that lifespan there is more
manpower assigned to get timely security fixes out.

The current compromise is that FL was extending Fedora by 12 months,
where now it will be only 4 additional months. Reviving FL in these
terms would mean to try to extend a couple more months. But let's give
that new model a new chance first and measure demand and available
manpower after the first implementation of this model.
--
Axel.Thimm at ATrpms.net
Matthew Miller
2006-11-30 02:37:02 UTC
Permalink
Post by Axel Thimm
I would rephrase it in a positive way: Legacy is merged with Core and
Extras under one umbrella redefining EOL time marks. E.g. there is a
shorter total lifespan, but during that lifespan there is more
manpower assigned to get timely security fixes out.
The current compromise is that FL was extending Fedora by 12 months,
where now it will be only 4 additional months. Reviving FL in these
terms would mean to try to extend a couple more months. But let's give
that new model a new chance first and measure demand and available
manpower after the first implementation of this model.
Sounds good. I think the important thing, though, is to state clearly that
FC3, FC4, and before are effectively unsupported *right now*.
--
Matthew Miller ***@mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Jesse Keating
2006-11-30 02:54:31 UTC
Permalink
Post by Matthew Miller
Post by Axel Thimm
I would rephrase it in a positive way: Legacy is merged with Core and
Extras under one umbrella redefining EOL time marks. E.g. there is a
shorter total lifespan, but during that lifespan there is more
manpower assigned to get timely security fixes out.
The current compromise is that FL was extending Fedora by 12 months,
where now it will be only 4 additional months. Reviving FL in these
terms would mean to try to extend a couple more months. But let's give
that new model a new chance first and measure demand and available
manpower after the first implementation of this model.
Sounds good. I think the important thing, though, is to state clearly that
FC3, FC4, and before are effectively unsupported *right now*.
I think this would be best. Legacy was an experiment that worked for a period
of time and has overtime worked less and less. Interest has waned as well as
willingness to participate.
--
Jesse Keating
Release Engineer: Fedora
Matthew Miller
2006-11-30 02:58:06 UTC
Permalink
Post by Jesse Keating
I think this would be best. Legacy was an experiment that worked for a period
of time and has overtime worked less and less. Interest has waned as well as
willingness to participate.
Okay, what more do we need to make it official?
--
Matthew Miller ***@mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Jesse Keating
2006-11-30 03:12:11 UTC
Permalink
Post by Matthew Miller
Okay, what more do we need to make it official?
Webpage changes to note our wrapup, reporting to the Fedora Board regarding
our project status, postings to fedora-announce-list, and then watching the
flames roll in.
--
Jesse Keating
Release Engineer: Fedora
Matthew Miller
2006-11-30 11:55:46 UTC
Permalink
Post by Jesse Keating
Post by Matthew Miller
Okay, what more do we need to make it official?
Webpage changes to note our wrapup, reporting to the Fedora Board regarding
our project status, postings to fedora-announce-list, and then watching the
flames roll in.
Is the 13-month lifespan for Core (i.e. "merged Legacy") accepted as
official?
--
Matthew Miller ***@mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Jesse Keating
2006-11-30 13:12:53 UTC
Permalink
Post by Matthew Miller
Is the 13-month lifespan for Core (i.e. "merged Legacy") accepted as
official?
That honestly depends on if releasing core to the outside world gets the
approval of Red Hat management. We hope it does, and if it does (and if
Legacy and FESCO agrees) than the 13month will fall into effect. So it
hasn't been decided yet.
--
Jesse Keating
Release Engineer: Fedora
Axel Thimm
2006-11-30 14:29:04 UTC
Permalink
Post by Jesse Keating
Post by Matthew Miller
Is the 13-month lifespan for Core (i.e. "merged Legacy") accepted as
official?
That honestly depends on if releasing core to the outside world gets the
approval of Red Hat management. We hope it does, and if it does (and if
Legacy and FESCO agrees) than the 13month will fall into effect. So it
hasn't been decided yet.
If some statement from legacy is needed about FC3/FC4 before that
decision is made (which IMHO is needed), how about something along a
heading of

"Fedora Legacy is ending its current support model working towards
direct involvement in maintenance of upcoming Fedora releases in
FL's spirit of extending lifetimes of Fedora releases. Within this
anticipated release model there will be no distinction between FL
and other entities."

We don't pre-announce anything that hasn't been decided on, but still
show where FL is heading to.

It's better than simply hanging a "closed" sign upfront the website. :)
--
Axel.Thimm at ATrpms.net
Nils Breunese (Lemonbit)
2006-11-30 14:59:55 UTC
Permalink
Post by Axel Thimm
If some statement from legacy is needed about FC3/FC4 before that
decision is made (which IMHO is needed), how about something along a
heading of
"Fedora Legacy is ending its current support model working towards
direct involvement in maintenance of upcoming Fedora releases in
FL's spirit of extending lifetimes of Fedora releases. Within this
anticipated release model there will be no distinction between FL
and other entities."
We don't pre-announce anything that hasn't been decided on, but still
show where FL is heading to.
It's better than simply hanging a "closed" sign upfront the
website. :)
But FC3/4 admins reading this statement might think their versions
are still supported somehow. At least I don't see 'FC3 and FC4 are
effectively EOL right now' between the lines and I think people
should know plans have changed and they aren't getting any updates
anymore.

I think it's sad Fedora Legacy seems to be ending a little
prematurely, but I totally understand that the people that were
carrying this dying beast have decided to just put it down and let it
be. Unfortunately I will have to be migrating our last Fedora servers
over to CentOS even sooner now...

Thanks for all the work guys,

Nils Breunese.
Rex Dieter
2006-11-30 15:11:52 UTC
Permalink
Post by Nils Breunese (Lemonbit)
Unfortunately I will have to be migrating our last Fedora servers
over to CentOS even sooner now...
I take it, then, that extending Fedora's (supported) life-cycle to 13+ mos
isn't sufficient for your needs?

-- Rex
Matthew Miller
2006-11-30 15:30:58 UTC
Permalink
Post by Rex Dieter
Post by Nils Breunese (Lemonbit)
Unfortunately I will have to be migrating our last Fedora servers
over to CentOS even sooner now...
I take it, then, that extending Fedora's (supported) life-cycle to 13+ mos
isn't sufficient for your needs?
That's the case here too, and as I suggested earlier, is also true for many,
many other people who haven't said anything. (I'm basing this on
circumstantial evidence, but, for example, observe the number of people who
crop on fedora-list with FC3 questions.)

However, ample evidence has made it clear that without significant resources
from someone with money to dedicate to this project (i.e. at least one
full-time position), more than 13 months is not practical. Therefore, CentOS
is the best answer for this large segment of users. That's a loss for
Fedora, but, whatchagonnado.

Going to 13 months will at least cover a different largish segment.

..__
....____
......._______
..........__________
__ ............._____________..
_____ ............._____________....
_______ ............._____________......
._________ ............._____________........_
.._________ ............._____________........___
....._________ ............._____________........_______________

Fedora +13 mo. CentOS/RHEL RHEL Unix Still running mainframes
--
Matthew Miller ***@mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Nils Breunese (Lemonbit)
2006-11-30 15:40:55 UTC
Permalink
Post by Rex Dieter
Post by Nils Breunese (Lemonbit)
Unfortunately I will have to be migrating our last Fedora servers
over to CentOS even sooner now...
I take it, then, that extending Fedora's (supported) life-cycle to 13+ mos
isn't sufficient for your needs?
Not for that couple of FC3 machines my clients have running. Or am I
misunderstanding the 13 months of support somehow? FC3 was released
on November 8 2004. Also, FC4 (I don't have any FC4 machines) was
released on June 13 2005, so I guess that is also EOL effectively.

Nils Breunese.
Matthew Miller
2006-11-30 16:11:37 UTC
Permalink
Post by Nils Breunese (Lemonbit)
Not for that couple of FC3 machines my clients have running. Or am I
misunderstanding the 13 months of support somehow? FC3 was released
on November 8 2004. Also, FC4 (I don't have any FC4 machines) was
released on June 13 2005, so I guess that is also EOL effectively.
In terms of "have their been a meaningful number of updates for real
security problems", they are EOL *now* -- just sans announcement.
--
Matthew Miller ***@mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Nils Breunese (Lemonbit)
2006-11-30 16:40:45 UTC
Permalink
Post by Matthew Miller
Post by Nils Breunese (Lemonbit)
Not for that couple of FC3 machines my clients have running. Or am I
misunderstanding the 13 months of support somehow? FC3 was released
on November 8 2004. Also, FC4 (I don't have any FC4 machines) was
released on June 13 2005, so I guess that is also EOL effectively.
In terms of "have their been a meaningful number of updates for real
security problems", they are EOL *now* -- just sans announcement.
I know, but not everybody knows. If FL is going to make an official
statement I'd vote for telling it like it is. Giving the whole thing
a positive spin (by saying Legacy is merging with Core) is fine with
me, but I suggest we do tell people FC3 and FC4 are EOL as of *now*
(unlike what some people may be thinking).

Nils Breunese.
Stephen John Smoogen
2006-11-30 21:02:19 UTC
Permalink
Post by Rex Dieter
Post by Nils Breunese (Lemonbit)
Unfortunately I will have to be migrating our last Fedora servers
over to CentOS even sooner now...
I take it, then, that extending Fedora's (supported) life-cycle to 13+ mos
isn't sufficient for your needs?
For my previous government jobs it took about 3 months to get an OS
certified from the time it was gold to when it could be used. That
leaves 10 months of usefulness of it, which I think will work well for
the cluster people who needed the latest stuff as they will be really
only using it for 6 months before the next upgrade. The finalized
large cluster would go onto being Centos or RHEL as it would need to
run the same code sets for 5 years. Depending on the department, a 10
month lifetime would also be ok for desktops. For servers, it is too
short of a time as it usually takes about 2 months after the OS is ok
to be used for the various services to be solid. However, it is what
people get for living off the work of others (eg gratis)
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
Tony Molloy
2006-11-30 15:25:19 UTC
Permalink
Post by Nils Breunese (Lemonbit)
I think it's sad Fedora Legacy seems to be ending a little
prematurely, but I totally understand that the people that were
carrying this dying beast have decided to just put it down and let it
be. Unfortunately I will have to be migrating our last Fedora servers
over to CentOS even sooner now...
Thanks for all the work guys,
Nils Breunese.
Well for me in a University environment a 13 month lifetime for a Fedora
release is perfect.

Our servers already all run Centos-4.

Our desktops are installed each year at the begining of Sept with the
latest available Fedora, and reinstalled in late January during the break
between semesters. We just missed out on Fedora 6 this year ;-(

So thanks for everything,

Tony
--
Tony Molloy.

System Manager.
Dept. of Comp. Sci.
University of Limerick
Matthew Miller
2006-11-30 15:32:42 UTC
Permalink
Post by Jesse Keating
That honestly depends on if releasing core to the outside world gets the
approval of Red Hat management. We hope it does, and if it does (and if
Legacy and FESCO agrees) than the 13month will fall into effect. So it
hasn't been decided yet.
Everyone's pretty much talking like this is a done deal. Any idea when an
official decision will be made?
--
Matthew Miller ***@mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Jesse Keating
2006-11-30 15:35:44 UTC
Permalink
Post by Matthew Miller
Everyone's pretty much talking like this is a done deal. Any idea when an
official decision will be made?
I'm involved in discussions with RH management this week, and probably next
week.
--
Jesse Keating RHCE (geek.j2solutions.net)
Fedora Legacy Team (www.fedoralegacy.org)
GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub)
Matthew Miller
2006-11-30 15:40:44 UTC
Permalink
Post by Jesse Keating
Post by Matthew Miller
Everyone's pretty much talking like this is a done deal. Any idea when an
official decision will be made?
I'm involved in discussions with RH management this week, and probably next
week.
Okay, thanks for the update.
--
Matthew Miller ***@mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
David D. Eisenstein
2006-12-01 23:58:59 UTC
Permalink
Post by Jesse Keating
Post by Matthew Miller
Everyone's pretty much talking like this is a done deal. Any idea when an
official decision will be made?
I'm involved in discussions with RH management this week, and probably next
week.
Any chance that others involved with Fedora Legacy in addition to you
might be able to be involved in those discussions, Jesse?

Regards,

David Eisenstein
Jesse Keating
2006-12-02 02:37:15 UTC
Permalink
Post by David D. Eisenstein
Post by Jesse Keating
I'm involved in discussions with RH management this week, and probably
next week.
Any chance that others involved with Fedora Legacy in addition to you
might be able to be involved in those discussions, Jesse?
Unfortunately it is not possible to have non Red Hat people in these meetings,
as it is a decision for Red Hat to make regarding the lifeblood of their RHEL
product. These discussions are the opening of core discussions, not the new
lifespan, folding Legacy into a longer release lifespan, etc... Those types
of decisions come AFTER we get the go ahead to open core.
--
Jesse Keating
Release Engineer: Fedora
Russ Lavoie
2006-11-29 19:29:51 UTC
Permalink
I would like to see it go further myself. All the work you guys do is
greatly appreciated by myself and probably my others as well.

Russ

-----Original Message-----
From: fedora-legacy-list-***@redhat.com
[mailto:fedora-legacy-list-***@redhat.com] On Behalf Of David
Eisenstein
Sent: Wednesday, November 29, 2006 1:26 PM
To: ***@benjamindsmith.com; Discussion of the Fedora Legacy Project
Subject: nails in coffins? Re: Openssl updates
Post by Benjamin Smith
Post by Florian La Roche
Interest in Fedora Legacy has slowed down. You can find some
FC4 updates at http://www.jur-linux.org/rpms/fc-updates/4/ ,
but some updates will probably also soon show up at
http://fedoralegacy.org/
I can see why this would be the case. I don't want to knock your efforts in
any way (very much appreciated!) but the truth is that FL exists to extend
the short shelf-life of Fedora. And anything that demands a longer shelf-life
I've moved over to CentOS or RHEL. I have but one remaining machine using
Fedora as a server (running FC1, in a fairly protected environment) that will
be upgraded to CentOS 5 once it's released.
FL was more or less born when those who started using Fedora to replace RHL on
the servers were bitten by Fedora's short lifespan. (myself included) Even
with FL's efforts, the life expectancy is still on the short side... I
currently plan against using Fedora in any long-term environment where FL
would even be needed... and I'm sure I'm not unique in that!
-Ben
Quite understandable, Ben. And this is why I am looking into stepping
down
from continuing being a Fedora Legacy maintainer/builder. Neither me,
nor
Jesse Keating, nor Marc Deslauriers nor any of the others can do this
alone.
It is just too much work for too little reward and too many headaches
for
those who care.

If there were a magic wand I could wave . . . . but I don't have the
acumen
or skill to compel folks to be contributors nor the patience to more
clearly
document the processes that we use (and that I learned how they work
just by
doing them and making many, many mistakes). When people don't step up,
this
is what happens.

I wish I could do more. But really, I don't know that that wish is
realistic. Does anyone else wish more could be done? Or do we just
kill the
project?

Warm regards,

David Eisenstein
Loading...