[linux-elitists] Fedora Legacy

Jonathan Corbet corbet@lwn.net
Wed Jan 26 14:55:49 PST 2005


Rick Moen <rick@linuxmafia.com> wrote:

> Which means you have to also decide how much trust you should vest in
> Fedora Legacy (or similar).  I mean no disrespect to that project:  It's
> set itself a tough and largely thankless job.  That job happens, in
> their case, to be implemented via version upgrades to the latest
> upstream rev. of each security-impaired package, rather than
> backporting, so people who run EOLed distros because of
> proprietary-application requirements may well be screwed, either way.

Actually, Fedora Legacy claims to backport fixes:

	In most cases, fixes are back-ported to the current package
	version rather than upgrading the package to a newer
	version. This is done in order to limit the possible
	side-effects which can result from an upgrade. Packages are only
	upgraded to a newer version if consensus dictates that we should
	do so for some specific reason.

This policy differs from that of Fedora itself.  This is rather
academic, however, since Fedora Legacy appears to have ground to a
complete halt.  There have been no updates for over a month, and systems
which depend on Fedora Legacy for updates are currently open to a number
of vulnerabilities.  Kind of answers the "how much should you trust the
project" question, at least for now.

jon




More information about the linux-elitists mailing list