qemu has been moving too aggressively in gentoo recently. the most recent officially stable branch is 2.7 (https://github.com/qemu/qemu/branches/all) and it has been removed already. 2.8 just came out of rc and still has critical issues in some environments (eg. https://bugs.gentoo.org/show_bug.cgi?id=614548) considering qemu is a complex and critical component, I believe it's appropriate to keep at least one officially stable version around and give new releases more time to mature. marking this critical, as users on stable tree will get unstable updates and in case of critical issues have no downgrade path and instead have to rely on unofficial overlays or compiling manually to regain stability. Reproducible: Always
you are looking for a page which is a bit outdated. The main page is: http://www.qemu-project.org/download/#source which ATM says that the rc is the 2.9 branch and the latest stable is the 2.8 However, if you want to run 2.7, you can easily download the ebuild and emerge it locally, but pay attention if all security issue are fixed in that branch. Assigning to qemu@ if they want to add something.
the link I provided is not outdated, it's an up-to-date github mirror of the qemu repository and it doesn't have a `stable-2.8` branch. the list you posted is merely a list of released versions. just because a release is not rc doesn't imply it's stable. there's no distribution I see (which has the conception of stable/unstable packages) where 2.8 would be marked stable. even the latest proxmox beta which was released one week ago still uses 2.7.1. 2.8 was marked stable in gentoo ~2 weeks after it left rc. 2.7 was entirely removed another 2 weeks later. qemu and especially the diversity of scenarios it's used in is way too complex to be marked stable that quickly.
> 2.8 was marked stable in gentoo ~2 weeks after it left rc. > 2.7 was entirely removed another 2 weeks later. All of this in response to security issues that had to be fixed. Please keep in mind that the presence of a "stable-2.8" branch doesn't imply said versions to be stable. It is simply a branch to create a maintenance release (for example 2.8.1). That said, unfortunately, stable doesn't necessarily imply that said versions have all security patches. For example 2.8.0 currently requires ~50 patches for 25 CVEs, almost all of these patches are applied to the current development version (2.9-rcX). But only for 9 CVEs patches were cherry-picked to 2.8.1 (we still have to apply 16 patches). None of these security issues are fixed in 2.7.1 and backporting ~50 patches to 2.7.1 is a huge maintenance burden. Hence I dropped 2.7.*.
And having all security patches doesn't imply a version is stable. How severe are those security issues if they are not backported upstream? `2.8.0-r9` breaks _all_ my guests in one way or another. Non-hardened guests don't soft reboot. Hardened guests have broken networking in addition. It doesn't matter how many security holes are fixed in 2.8. `2.8.9-r9` is unusable for productive systems in this state. I would appreciate not to have this marked resolved until there is a reasonable conclusion. having a secure but otherwise broken stable version certainly is not.
More proof that any current version >=qemu-2.8.0 is currently not stable or suited for productive use, security patches or not. https://bugs.gentoo.org/show_bug.cgi?id=617232
