[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Distributions

Fedora's Node.js problem

By Jake Edge
May 4, 2016

Aligning distribution and major package schedules is often something of a tricky balancing act. Fedora is currently doing some of that; it is trying to figure out what to with its Node.js package for Fedora 24. Node.js 5.10 is currently packaged for Fedora 24, but that release will only be supported until mid-year, which would mean that Fedora developers would have to backport security fixes for as long as a year. But the most recent release (6.0) came out on April 26 and may not yet support all of the other dependent packages, which puts Fedora somewhere between a rock and a hard place.

Current Node.js package maintainer Stephen Gallagher posted a message about the problem on the release day for Node.js 6.0. That release is a "significant ABI-breaking release, which means there is no guarantee that existing modules will work with it at all", he said. That release is slated to become the next long-term support release in October—on paper, that would make it a good choice for Fedora 24, since it will be supported until 2019. But Fedora 24 is nearly out the door, with a final freeze scheduled for the end of May and the release in mid-June. So, any change, especially one that could break all of the packages dependent on Node.js, is worrisome—at best.

Currently, Fedora 24 has Node.js 5.x, but that will be unsupported by the Node.js developers relatively soon. One option would be to stick with that, but once Fedora 24 is released, the project's policy of disallowing major ABI changes in a stable release would mean that Fedora has to pick up the maintenance burden. Gallagher put it this way:

This means manually backporting any security issues that come up without the benefit of a new version to rebase to and with an increasing likelihood of the patches diverging from upstream.

Another option might be to fall back to Node.js 4.x, which was released in October 2015 and will be supported until well after the end of life for Fedora 24, but that is not without potential problems as well. Any of the dependent packages that have started using features from 5.x may not work. It all adds up to no "particularly good options", he said.

No one in the resulting thread seemed to like the "stick with 5.x" option. There was some talk of just abandoning 5.x and moving to 6.x sometime around October, but that would require Fedora Engineering Steering Committee (FESCo) approval and would set something of a bad precedent. But "drago01" thought that concerns about upgrading the package during the release cycle were based on a misunderstanding of the update policy, which says that it is possible to upgrade when an upstream stops supporting a release if backporting fixes "would be impractical". The definition of "practical" is up to the packager and FESCo.

Gallagher pointed out that the policy is likely changing, however:

While true, FESCo recently (last Friday) approved a draft update to that policy that explains that backwards-compatibility breakages are almost never acceptable in a stable release. Since 6.0 breaks compat, FESCo would probably vote against the upgrade mid-release (and I would agree with that).

Tom Hughes noted that there actually might not be any problem falling back to 4.x, since most packages try to support both 4.x and 5.x. Gallagher confirmed that by querying the package repository:

So according to this, we have nothing in the package collection that is known to require only 5.x or later. So that's a point in favor of the 4.x downgrade approach.

I don't love the idea of regressing the versions post-Beta, but it's starting to look like the least-risky approach.

The beta release of Fedora 24 is targeted for May 10, so the regression to 4.x would happen after that. But if the repository metadata is accurate, there should be few repercussions to making the switch. Gallagher announced that plan on April 28 and asked Node.js users to test with the new package he had built.

There was also some discussion of which Node.js branches should be used in the future. Hughes asked if it would ever make sense to use versions without long-term support given Fedora's thirteen-month support cycle. Gallagher replied that it turns out those releases are generally only supported for nine months or so, which means that Fedora should always ship the long-term support releases. That seems to be the plan moving forward.

In the end, it would seem that it will be a fairly painless transition, even if it looked like there were only ugly choices at the start. As part of its general philosophy, Fedora targets the newest releases of packages, which is presumably why Node.js 5.x got picked up in the first place. But the burden of maintaining an unsupported release, especially for an internet-facing package like Node.js, is quite large. Better to distribute an older version than to risk exposing Fedora Node.js users to the vulnerabilities that will undoubtedly be uncovered during the life of Fedora 24.

Comments (6 posted)

Brief items

Devuan Jessie beta released

The Devuan community has finally gotten a beta release out for testing. "Debian GNU+Linux [sic] is a fork of Debian without systemd, on its way to become much more than that. This Beta release marks an important milestone towards the sustainability and the continuation of Devuan as an universal base distribution."

Full Story (comments: 370)

The Linux Embedded Development Environment launches

The Linux Embedded Development Environment (or LEDE) project, a fork (or "spinoff") of OpenWrt, has announced its existence. "We are building an embedded Linux distribution that makes it easy for developers, system administrators or other Linux enthusiasts to build and customize software for embedded devices, especially wireless routers. [...] Members of the project already include a significant share of the most active members of the OpenWrt community. We intend to bring new life to Embedded Linux development by creating a community with a strong focus on transparency, collaboration and decentralisation." The new project lives at lede-project.org. (Thanks to Mattias Mattsson).

Full Story (comments: 16)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

Ubuntu 16.04 Review: What’s New for Desktop Users (Linux.com)

Linux.com reviews Ubuntu 16.04 LTS on the desktop, including Snaps, a new way of packaging and delivering applications. "Snaps also offer relatively more security because each app is sandboxed -- although there is still some room for improvement. But, like any other new technology, it will get better with time. In regard to privacy and security, I should mention that Unity previously was heavily criticized for integrating online ads and services with Dash. It was seen a privacy leak. Ubuntu 16.04, however, comes the latest version of Unity for the desktop -- that's 7.4 -- which disables online search or ads as the default."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>


Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds