On Tue, 2008-09-23 at 13:37 -0700, Jo Rhett wrote:
> Some quite lively offline discussion has come to conclusion with the
> following suggestions to change the support policy. Obviously, this
> is what we feel would be a good idea, but it's obviously open to
> discussion and there's nobody demanding anything here. It just seems
> "better".
>
> Old text:
> > Each branch is supported by the Security Officer for a limited time
> > only, and is designated as one of `Early adopter', `Normal', or
> > `Extended'. The designation is used as a guideline for determining
> > the lifetime of the branch as follows.
> >
> > Early adopter
> > Releases which are published from the -CURRENT branch will be
> > supported by the Security Officer for a minimum of 6 months after
> > the release.
> > Normal
> > Releases which are published from a -STABLE branch will be
> > supported by the Security Officer for a minimum of 12 months after
> > the release.
> > Extended
> > Selected releases will be supported by the Security Officer for
> > a minimum of 24 months after the release.

>
> Proposed (starting point for discussion for) new text:
>
> Each branch is supported by the Security Officer for a limited time
> only, and is designated as one of `Early adopter', `Normal', or
> 'Final'. The designation is used as a guideline for determining the
> lifetime of the branch as follows.
>
> Early adopter
> Releases which are published from the -CURRENT branch will be
> supported by the Security Officer for a minimum of 6 months after the
> release.
>
>
> Normal
> Releases which are published from a -STABLE branch will be
> supported by the Security Officer for a minimum of 12 months after the
> release.
> A release which is not the final minor release of a branch will
> be additionally supported by a minimum of 6 months past the release
> date of the succeeding version. For example X.1 will be supported for
> 12 months or until 6 months past the release date of X.2, whichever
> comes later.
>
> Final
> The final minor release on a given branch will be supported by
> the Security Officer for a minimum of 24 months after the release.
>
>
> OBSERVATIONS:
>
> 1. This avoids the need for the well-documented chicken-and-egg
> problem of trying to guess which release is the final release.
>
> 2. This is a consistent policy in line with many other vendor policies.
>
> 3. This rewards forward movement in the branch.
>
> And finally, as I've done the match carefully,
>
> 4. It would appear to *reduce* rather than enlarge the support
> requirements for the security team. Unless a minor release comes out
> less than 6 months after a previous release, only two versions would
> ever be supported at the same time. In recent history 3 minor
> releases in the same branch have been supported more often than not.
>
> Example under current policy:
>
> 6.5 comes out in July of 2009. For July -> October the security team
> will need to support 3 releases: 6.3, 6.4 and 6.5. From November
> 2009 through January 2010 the security team will need to support 6.3
> and 6.5, but not 6.4.
>
> Revised under the existing policy:
>
> Support for 6.3 expires in April of 2009. (more than 12 months past
> release and 6 months after the release of 6.4). Support for 6.4
> expires in January of 2010. Support for 6.5 would expire in July of
> 2011 or 6 months after the release of 6.6.
>
> ^NOTE: this example is probably unfeasible since 6.3 already has a
> published support period ended in January 2010, but this will prevent
> a similar occurrence happening in future releases.
>
> Note2: This new policy would not change the support period for 6.4 if
> it is the final release, but it does completely resolve the need to
> "guess" whether or not it will be the final release.
>
> The notable change that I believe will encourage business
> participation in the testing/evaluation process is that 6.4 is
> guaranteed to be supported either 24 months, or at least 6 months past
> the release date of 6.5. (recent history suggests this would be
> 15-19 months). This encourages businesses to test and evaluate 6.4
> NOW, rather than waiting until a decision about the support policy is
> made.
>
> Repeat from the top: nobody is demanding anything. I think this
> policy would make a lot more sense, and would promote forward
> movement. Feel free to correct me if we overlooked anything. Thanks.
>


Isn't this a non-pragmatic way of looking at this? Currently, as long as
there are no serious issues with 6.4, 6.4 will be supported for 24
months from release. This is abundantly clear from both prior history
and what secteam say.
If there are serious issues, then 6.5 will be cut to address these
issues, and it would be a release to address these issues. In this case,
the 'only 12 month support' is irrelevant; one would want to migrate
these machines to 6.5. One might argue that this isn't something that
can be planned for by a user; I would argue that planning for
unexpected, serious problems is something that has to be done for every
deployed machine.

Extended support is great for point-1 releases, so we can acclimatise to
a new major branch with the benefit that no major functional changes
will jump in. To my mind, this entire discussion is bikeshed painting
that ends up with semantic arguing about what a 'final' release is.

Cheers

Tom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEABECAAYFAkjbpd4ACgkQlcRvFfyds/czVwCfX5sR3x/AU3igHDCC/HxymfCB
QioAoIhs1isUlL4w/x8M7rcua41jkn5G
=Cgwx
-----END PGP SIGNATURE-----