Re: Summary of the LTS BoF held during DebConf

[Moritz Muehlenhoff <jmm@inutil.org>]

On Thu, Jan 28, 2016 at 05:24:13AM +0100, Thijs Kinkhorst wrote:
> On Tue, January 19, 2016 17:56, Santiago Ruano Rincón wrote:
> > Moreover, squeeze lts has been advertised to end next February, the 6th
> > to be precise. At the same time, the security team would support wheezy
> > until April 26th 2016, which is the Jessie release date + 1 year. What
> > do you think if the Squeeze lts team extends Squeeze's life until the
> > end of April, to cut at the wheezy-lts starting period?
> >
> > Would the security team prefer the lts team focus more on fixing issues
> > currently open in wheezy, but already fixed in squeeze?
> 
> I can't imagine objections that the security team would have against
> extending the support until 26 April, and indeed it makes sense to align
> it with the end of Wheezy support.
>
> As to whether you spend your time on remaining squeeze or ramp-up to
> wheezy or both, that is primarily the LTS team's own decision to make, of
> course in consultation with the sponsors, as they probably have ideas of
> what service they wish to invest in.

Personally I think it rather makes sense to stick with end of February as
advertised. People will have planned for this and you should better use 
the 1.5 months of transitions months to work on 

a) improving the infrastructure (like the archive/dak changes mentioned during
   the BoF at DebConf)
b) working on some updates for wheezy. There are still a _lot_ of uncertainties
   in the scope of packages to be supported in Wheezy LTS in the area of
   virtualisation, libav and Java. Those will only be eliminated by actually
   getting spending time on researching things in more depth. Examples:
   - If you keep openjdk-6, figure out how to upgrade to new icedtea releases
     (as currently done by doko, but he'll stop once Ubuntu 12.04 is EOLed)
     Otherwise figure out the changes you need to make to only support openjdk-7
   - We still don't have a package for the latest Xen security issues in wheezy.
     Upstream support for 4.1 is EOLed for a while now and complex security fixes
     become really tricky to backport. KVM is in a similar position. Spending
     a man day to research that more deeply might shed some light on the feasibility
     of virtualisation support in Wheezy LTS. Alternatively figure out a model what
     exactly you want to support. I seriously doubt anyone runs a cloud/VM provider
     on wheezy, so maybe rather adapt the policy for backported security fixes to
     a more common scenario like trusted, internal hosting of services.
   - libav in wheezy is EOLed for a long time now (and upstream was already lagging
     behind many fixes to ffmpeg due to bad blood between projects). You could spend
     some time on either disabling fringe/risky codecs or investigate whether a set
     of important rdeps can be modified to use a backport of libav from jessie.

Cheers,
        Moritz