Repository Archival Proposal

[pjbgf]

I propose the repositories for Flux v1 (fluxcd/flux and fluxcd/helm-operator) are archived as of 1st November.

Reasoning behind the proposal:

• Some dependencies are pinned to EOL versions, which cannot be upgraded without causing regressions or a cascading amount of changes to the codebase. Kustomize is one of the dependencies that cannot be upgraded, and currently it has more than 20 CVEs, including 11 that are high or critical.
• All Kubernetes dependencies are pinned within version v1.21. That version is end-of-life support upstream.
• Users using newer versions of Kubernetes (above v1.21) are starting to experience issues that we cannot resolve due to the project being in maintenance mode. The next version up (Kubernetes v1.22) becomes end-of-life from 28th Oct 2022 and will no longer be supported upstream, for bug fixes nor security patches.
• The repositories not being archived send a message to the community that they are being actively maintained, which is not completely true as both repositories haven't received meaningful changes for the past 2 years, which was when they were put on maintenance mode.

I would like to hear from the community around concerns or issues with the proposal above, and will be closely monitoring this issue for the next week to that effect.

Relates to fluxcd/website#1156 (review).

[stefanprodan]

I'm in favour to archive this repository on 1st Nov 2022. We've promised users to maintain Flux v1 and Helm Operator for 6 months after reaching feature parity in v2. Given that feature parity was reached in Feb 2021, I think we've gave plenty of time to those that wanted to migrate to do so.

[kingdonb]

Just to be clear, we are only talking about making Flux v1's maintenance status clarified with respect to the recommendation to not use for security reasons, since IMHO Flux v1 use can no longer be supported in good conscience (there are too many CVEs to fix without breaking backwards compatibility)

This change makes new Flux v1 releases impossible from our end, and signals the end of life support, but it does not make Flux v1 no longer installable. The deployment artifacts will all remain accessible and existing Flux v1 users can go on using it against advice as long as necessary, nothing will change in that respect, and hopefully before long they will all see that Flux v1 is finally hard deprecated and move onto the next version with us.

Point being no docker images will be removed from Docker hub at this time, and old versions of Flux that you may still be using, or even plan to install today, will continue to work if they've been working. End of support just means no more releases. 👍 from me.