new metadata (`last-update`) for OSes without a formal EOL and OSes that have (paid) security support past EOL
Summary: When creating a VM, unsupported OSes shouldn't be promoted by default, especially for servers. In most cases, EOL works, but in some it doesn't at all... and 10 years (virt-manager's grace period) or even 3 years (Cockpit's grace period) is a very long time to run an OS that hasn't had any security updates or support. There should be another data point which could be used to filter the list.
Details:
In Cockpit — specifically Cockpit-Machines — we needed a way to filter out all unsupported OSes. EOL is the right thing to use, but some OSes don't have EOL listed. Therefore, we added some time to the release date (3 years in Cockpit-Machines). It generally worked well, but isn't quite right.
Virt-Manager did the same, but added 10 years. When we implemented it in Cockpit, 10 years was clearly the wrong time window in some cases, such as Mandriva where the company ended in 2015 and the last release was in 2010. (We implemented it a few years back, so the last release of Mandriva from 2010 was still showing up in 2018). As a result, Cockpit has a 3 year grace period from the release (which osinfo has as the original release date, not the latest release date, which is different for long term OSes) when there's no EOL listed.
What we really would need is something like a last-update
field, especially for OSes without EOL, so we could add some time since the last update. (For example: If something was last updated more than a year ago and it doesn't have an EOL, then it is not supported, as every OS and distribution worth using has security updates. So we'd check EOL first, then fall back on the last updated date and add a year.)
Trying to update a last-update
for an every active OS would introduce too much work (as every current OS churns quite a bit), so it should probably be reserved only as:
- a fallback for OSes without a formal EOL
- those which have support that exceeds EOL, such as Windows Server 2012*, which has formal EOL in 2023 and paid security updates through 2026 (in this specific case, the date might be in the future... it's probably TBD (to be discussed/decided) though) — in a UI, it could still show as unsupported (past EOL), but it wouldn't be filtered out until the grace period (probably 1 year) after
last-update
expires
* win2k12 update schedules for reference: https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2012 https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2