Retirement policy
Background
There are three reasons for retiring a package in EPEL.
-
The package is now included in RHEL.
-
Security reasons.
-
Maintainer no longer has time and/or desire.
Process: Package in RHEL
If a package is in RHEL, you should have received a bug telling you your package is going to be in RHEL. It should also say which RHEL release it will be in (e.g. RHEL 8.8).
Do not remove your EPEL package until you have verified that it is in RHEL.
-
If the package version in RHEL is older than the version in EPEL, send an e-mail to epel-devel, documenting the potential loss of functionality. If the package version in RHEL is the same or newer, sending the e-mail is optional
-
Once your package is in RHEL, you should retire the package from EPEL.
-
fedpkg switch-branch epel8 (or whichever epel branch is correct)
-
fedpkg retire "REASON FOR RETIREMENT"
-
Process: Security Reasons
If a package has a severe security issue, and the fix cannot be backported, usually this can be fixed with an incompatible upgrade. If the EPEL version is fairly old, and a newer version cannot be built, it’s possible that the only choice of action is to remove the package.
-
Send e-mail to epel-devel with details of the proposed retirement. Include items such as the CVE of the security issues affecting the existing version, and/or an upstream bug tracker reference (if applicable). Also reference a bug in Bugzilla against the package.
-
Discussion takes place on epel-devel for a minimum period of 1 week, unless this is for a critical security update such as remote root.
-
The maintainer is then responsible for sending an e-mail to epel-announce. It should announce the retirement and specific actions that users must take in order to continue using the software (e.g. install using
pip
or some other delivery mechanism). -
-
fedpkg switch-branch epel8 (or whichever epel branch is correct)
-
fedpkg retire "REASON FOR RETIREMENT"
-
Process: No Time or Desire
EPEL is run and maintained by many volunteers. A person’s life, job, and priorities change over time. It is natural that a time might come that you no longer have the time or desire to maintain a package.
-
Check if there are other maintainers of the package. https://src.fedoraproject.org/rpms/<package> If there are, ask them if they would like to maintain the epel branches.
-
If none of the other maintainers want to maintain the epel branches, send an e-mail to epel-devel. Let us know you cannot maintain the package anymore, and none of the other maintainers can either. If there is anything special about the package, or urgent issues such as the package not being installable, let us know that as well.
-
After two weeks, If nobody has volunteered to take over the package for you, send an e-mail to epel-announce. It should announce the retirement and specific actions that users must take in order to continue using the software (e.g. install using
pip
or some other delivery mechanism). -
-
fedpkg switch-branch epel8 (or whichever epel branch is correct)
-
fedpkg retire "REASON FOR RETIREMENT"
-
Process: Not Installable
There are times that packages are not installable in EPEL. These packages fall into two categories. Packages that once were installable, but no longer are. Packages that were never installable.
Process: Once Installable
If a package was once installable, but no longer is, try to fix the problem. If you cannot, or you do not have the time or desire to fix it, follow the No Time or Desire policy
Process: Never Installable
If a package was never installable in an EPEL repo, try to fix the problem. If you cannot fix the problem and wish to retire the package from that EPEL branch / repo, you can.
-
-
fedpkg switch-branch epel8 (or whichever epel branch is correct)
-
fedpkg retire "REASON FOR RETIREMENT"
-
Want to help? Learn how to contribute to Fedora Docs ›