Retirement policy

Background

There are three reasons for retiring a package in EPEL.

  • The package is now included in RHEL.

  • Security reasons.

  • Maintainer no longer has time and/or desire.

Process: Package in RHEL

If a package is in RHEL, you should have received a bug telling you your package is going to be in RHEL. It should also say which RHEL release it will be in (e.g. RHEL 8.8).

Do not remove your EPEL package until you have verified that it is in RHEL.

  • If the package version in RHEL is older than the version in EPEL, send an e-mail to epel-devel, documenting the potential loss of functionality. If the package version in RHEL is the same or newer, sending the e-mail is optional

  • Once your package is in RHEL, you can remove it from EPEL.

Process: Security Reasons

If a package has a severe security issue, and the fix cannot be backported, usually this can be fixed with an incompatible upgrade. If the EPEL version is fairly old, and a newer version cannot be built, it’s possible that the only choice of action is to remove the package.

  1. Send e-mail to epel-devel with details of the proposed retirement. Include items such as the CVE of the security issues affecting the existing version, and/or an upstream bug tracker reference (if applicable). Also reference a bug in Bugzilla against the package.

  2. Discussion takes place on epel-devel for a minimum period of 1 week, unless this is for a critical security update such as remote root.

  3. Item is added to agenda for discussion at weekly EPEL Steering Committee meeting.

  4. If a majority of those present at the EPEL Steering Committee meeting concur, the package can be retired.

  5. The maintainer is then responsible for sending an e-mail to epel-announce. It should announce the retirement and specific actions that users must take in order to continue using the software (e.g. install using pip or some other delivery mechanism).

  6. Retire the package.

Process: No Time or Desire

EPEL is run and maintained by many volunteers. A person’s life, job, and priorities change over time. It is natural that a time might come that you no longer have the time or desire to maintain a package.

  1. Check if there are other maintainers of the package. https://src.fedoraproject.org/rpms/<package> If there are, ask them if they would like to maintain the epel branches.

  2. If none of the other maintainers want to maintain the epel branches, send an e-mail to epel-devel. Let us know you cannot maintain the package anymore, and none of the other maintainers can either. If there is anything special about this package, let us know that as well.

  3. After two weeks, If nobody has volunteered to take over the package for you, feel free to retire the package.