Fedora Forms Process For Retiring Packages With Open Security Issues

At Monday's Fedora Engineering and Steering Committee, members approved a plan for the timing by which these packages bearing untimely security updates can be retired. The approved plan comes down to:
During the FESCo meeting on Feb 18th 2019 we decided to retire them way before branching so that people will have time to reintroduce them if needed and this helps us to do it only in rawhide rather than in both, branched and rawhide.
So, here's my proposal, once a release gets out and we start working on branching on next release, there are about three and half months of time which is 14 weeks.
We can start this process 10 weeks before branching and send weekly notifications for 4 weeks and retire them after 4 weeks of notifications, which gives them 6 weeks to get them back into distribution before branching. 6 weeks before branching because if a package is retired for more than 2 weeks then they have to go through the review process which takes time sometimes.
That proposal has now been approved along with other items via the FESCo meeting minutes. At this meeting they also deferred the proposal to enable DNF's "best" mode by default to something they will consider for the Fedora 31 cycle but not Fedora 30 as had originally been planned.
4 Comments