From owner-freebsd-security Mon May 20 10:19: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from softweyr.com (softweyr.com [65.88.244.127]) by hub.freebsd.org (Postfix) with ESMTP id E39C037B406; Mon, 20 May 2002 10:18:19 -0700 (PDT) Received: from 66-75-153-50.san.rr.com ([66.75.153.50] helo=softweyr.com) by softweyr.com with esmtp (Exim 3.35 #1) id 179qnU-000Jn3-00; Mon, 20 May 2002 11:18:13 -0600 Message-ID: <3CE93084.7C6ADAFF@softweyr.com> Date: Mon, 20 May 2002 10:21:08 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Maxim Sobolev Cc: dsyphers@uchicago.edu, developers@FreeBSD.ORG, security@FreeBSD.ORG, nectar@FreeBSD.ORG Subject: Re: Is 4.3 security branch officially "out of commission"? References: <3CE8C3E2.EBF4EC8F@FreeBSD.org> <200205201008.g4KA8uKl000787@midway.uchicago.edu> <3CE8D057.BEA07F0@FreeBSD.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maxim Sobolev wrote: > > David Syphers wrote: > > > > On Monday 20 May 2002 04:37 am, Maxim Sobolev wrote: > > > Folks, > > > > > > I was notified by the members of the local FreeBSD community (we have > > > a very strong presence of FreeBSD in ISP circles here) that seemingly > > > 4.3 security branch isn't supported anymore, even though there was no > > > official announcement about decommissioning. > > > > See http://www.freebsd.org/security/index.html. I quote > > --- > > At this time, security advisories are being released for: > > > > FreeBSD 4.4-RELEASE > > FreeBSD 4.5-RELEASE > > FreeBSD 4.5-STABLE > > > > Older releases are not maintained and users are strongly encouraged to > > upgrade to one of the supported releases mentioned above. > > --- > > > > As Kris Kennaway mentioned on May 8 (security@ archives...), the official > > lifetimes of the security branches are not long, although the security team > > may choose to extend support longer as a courtesy, presumably if they have > > the manpower and interest. > > I see. > > What is the official procedure when somebody not from the security > team want to maintain older releases? For example, as I said there is > significant push from the local community to merge recent security > fixes into older releases, so that it is likely that they could > provide to me with tested patches for older releases they are > interested in. May I merge them into 4.3 security branch without my > commit bit being suspended for inappropriate MFCs into security > branch? Once you've obtained the permission of the security officer, you may commit any change to a _RELEASE tag. There is an historical precedent here, the last time we took 2+ years to get the next major release out the door. Security fixes and such were maintained in the 2.2.x branch for quite some time while 3.0 was being worked on and after it was released but not deemed stable enough for production work by a large number of users. This time we actually have a CVS mechanism in place to help. ;^) Maxim, if this is important enough to you to become a 4.3 maintenance coordinator or some other such fancy title, perhaps you should propose that to the Security Officer. In the meantime, I think he will be quite interested to see proposed patches and MFC/MFS's. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message