[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: EOL candidates for security-support-ended.deb10

On 05/08/2022 11:48, Raphael Hertzog wrote:

On Wed, 03 Aug 2022, Sylvain Beucler wrote:
OpenStack: we tend not to support openstack beyond upstream's support, but
I'm having a hard time associating the components version with OpenStack's
major version; possibly other openstack packages (horizon, manila,
neutron...) are concerned; see also
https://access.redhat.com/support/policy/updates/openstack/platform/ ; if
somebody is more familiar with openstack, input would be appreciated :)
- keystone https://lists.debian.org/debian-lts/2020/05/msg00011.html

FWIW, I got some private feedback from an LTS sponsor that they are still
running Openstack on buster so it would be nice if we could try to support
it this time around.

The number of CVE on Openstack related packages seem to be low.

Do you see any reason why we should not try to support it?

We shouldn't just forward-port the EOL list. I.e. if the only reason to not support something is "we didn't support it in previous releases", then we should support it.

For OpenStack in particular, I don't see it in security-support-ended.*, but IIRC the reason was that upstream used to move too fast and security fixes were hard to backport. If things have stabilized, with fewer issues and a more stabilized code, and upstream provides enough information, then I see no reason why we can't support it.


Reply to: