[RFC] Why FreeBSD ports should have branches by OS version
Julian Elischer
julian at freebsd.org
Fri Jun 23 05:22:27 UTC 2017
On 23/6/17 12:39 pm, Mark Linimon wrote:
> On Fri, Jun 23, 2017 at 11:58:14AM +0800, Julian Elischer wrote:
>> What we want is:
>> A "recent" starting point for our next project/upgrade to start from
>> and an ongoing version of that, which will get critical fixes only for
>> at LEAST 2 years, probably 5.
>> The key here is the *_*critical fixes only*_* part.
> And how much is that worth to you and/or your company?
glad you asked.
If we had such a setup it would probably be worth a good part of a
person's salary.
Since we have had to do without it, we have workarounds in place that
took a lot of work to make.
But we are now running a parallel system where we are taking
snapshots of head and using them.
The downside is that we don't have the resources to follow all the
Security issues so we are forced
to do cross-revision upgrades sometimes where for example all the
packages we install were
compiled from a tree that approximates 10.3 ports, but the openssl
package is from a source tree
that is much newer. We enjoy this about as much as having our
corporate wisdom teeth pulled out
but it's forced on us.
In the near future we will be taking a new snapshot for the next
release. What branch and revision
of the ports tree wil be snapshotted is still not decided, If there
were a suitable first-half-2017
stable branch we'd take that for sure, then we'd follow it, merging
changes in, and probably feeding
fixes back.
Since there are no "security patch only" branches, What we will
probably end up doing is
snapshotting head and crossing our fingers hoping that we notice any
relevant
vulnerabilities and have the time to work out a fix. Of course If
there is no easy patch, we
may have to do single-package upgrades, which is usually only painless
for a short time
after the snapshot, because the Makefile infrastructure keeps changing.
>
> I mean, honestly. You constantly criticize the volunteers for not doing
> what you need. Well _need_, to me, implies the existence of some kind
> of incentive. I can state to you, flatly, that "a feeling of a job well
> done" isn't _sufficient incentive_ to do professional-level QA. There's
> a reason people get _paid to do it_: it's hard, long, tedious, unrewarding
> work, and it never ends.
>
> Clearly, relying on _volunteers_ to do professional-level QA isn't working
> out for you.
>
> Thus, IMVVHO, at this point, to get what you _need_, you need to get out
> your checkbook and provide a _financial_ incentive. In my experience,
> with the volunteers that we have, we can barely keep things afloat as
> it is. It's sufficiently hard to recruit people, and burnout is high
> -- especially given the grief we take.
>
> (I won't even start on how even "critical fixes" can drag in the need
> to update dependencies, which then conflict with each other, and so on
> and so forth, and thus even "critical fixes" aren't trivial.)
>
> Summary: you are providing negative incentive to the ports crew, with
> no upside for them, and you can't understand why it doesn't work.
>
> tl;dr: you want us to be RedHat but with no paid employees.
>
> mcl
>
More information about the freebsd-ports
mailing list