From owner-freebsd-ports@freebsd.org Fri Jun 23 05:22:27 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D5E0D9CC03 for ; Fri, 23 Jun 2017 05:22:27 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7B8B478749 for ; Fri, 23 Jun 2017 05:22:27 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (124-148-108-84.dyn.iinet.net.au [124.148.108.84]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id v5N5MLwS062359 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 22 Jun 2017 22:22:24 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: [RFC] Why FreeBSD ports should have branches by OS version To: Mark Linimon Cc: freebsd-ports@freebsd.org References: <20170622121856.haikphjpvr6ofxn3@ivaldir.net> <20170622141644.yadxdubynuhzygcy@ivaldir.net> <4jrnkcpurfmojfdnglqg5f97sohcuv56sv@4ax.com> <20170622211126.GA6878@lonesome.com> <594C4663.5080209@quip.cz> <09384577-ed7e-d142-43f3-0a08f5d21056@freebsd.org> <20170623043947.GA8922@lonesome.com> From: Julian Elischer Message-ID: <3a428572-039c-79ed-8804-41e5fef4df99@freebsd.org> Date: Fri, 23 Jun 2017 13:22:16 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <20170623043947.GA8922@lonesome.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jun 2017 05:22:27 -0000 On 23/6/17 12:39 pm, Mark Linimon wrote: > On Fri, Jun 23, 2017 at 11:58:14AM +0800, Julian Elischer wrote: >> What we want is: >> A "recent" starting point for our next project/upgrade to start from >> and an ongoing version of that, which will get critical fixes only for >> at LEAST 2 years, probably 5. >> The key here is the *_*critical fixes only*_* part. > And how much is that worth to you and/or your company? glad you asked. If we had such a setup it would probably be worth a good part of a person's salary. Since we have had to do without it, we have workarounds in place that took a lot of work to make. But we are now running a parallel system where we are taking snapshots of head and using them. The downside is that we don't have the resources to follow all the Security issues so we are forced to do cross-revision upgrades sometimes where for example all the packages we install were compiled from a tree that approximates 10.3 ports, but the openssl package is from a source tree that is much newer. We enjoy this about as much as having our corporate wisdom teeth pulled out but it's forced on us. In the near future we will be taking a new snapshot for the next release. What branch and revision of the ports tree wil be snapshotted is still not decided, If there were a suitable first-half-2017 stable branch we'd take that for sure, then we'd follow it, merging changes in, and probably feeding fixes back. Since there are no "security patch only" branches, What we will probably end up doing is snapshotting head and crossing our fingers hoping that we notice any relevant vulnerabilities and have the time to work out a fix. Of course If there is no easy patch, we may have to do single-package upgrades, which is usually only painless for a short time after the snapshot, because the Makefile infrastructure keeps changing. > > I mean, honestly. You constantly criticize the volunteers for not doing > what you need. Well _need_, to me, implies the existence of some kind > of incentive. I can state to you, flatly, that "a feeling of a job well > done" isn't _sufficient incentive_ to do professional-level QA. There's > a reason people get _paid to do it_: it's hard, long, tedious, unrewarding > work, and it never ends. > > Clearly, relying on _volunteers_ to do professional-level QA isn't working > out for you. > > Thus, IMVVHO, at this point, to get what you _need_, you need to get out > your checkbook and provide a _financial_ incentive. In my experience, > with the volunteers that we have, we can barely keep things afloat as > it is. It's sufficiently hard to recruit people, and burnout is high > -- especially given the grief we take. > > (I won't even start on how even "critical fixes" can drag in the need > to update dependencies, which then conflict with each other, and so on > and so forth, and thus even "critical fixes" aren't trivial.) > > Summary: you are providing negative incentive to the ports crew, with > no upside for them, and you can't understand why it doesn't work. > > tl;dr: you want us to be RedHat but with no paid employees. > > mcl >