Rapid release for security updates
Ralf Corsepius
rc040203 at freenet.de
Wed May 27 10:18:04 UTC 2015
On 05/26/2015 06:22 PM, Stephen Gallagher wrote:
> On Tue, 2015-05-26 at 15:33 +0200, Ralf Corsepius wrote:
>> On 05/26/2015 12:10 PM, Andrew Haley wrote:
>>> Something needs to be done, but I'm not sure
>>> exactly what.
>>
>> IMO, all this should not be a problem, if collaborative maintenance
>> works.
>>
>> What I mean, IMO, critical packages should have a sufficient number
>> of
>> co-maintainers, who should be presumed to be sufficiently familiar
>> with
>> a package to provide enough karma, which would allow such packages to
>>
>> pass quickly.
>>
>
>
> That might work for comparatively simple packages, but what about the
> kernel? Kernel updates have the potential to completely break things
> (particularly if the security patch comes along with a point release).
Well, admitted the kernel is a special case :-)
Therefore, I wrote "co-maintainers, who should be sufficiently familiar
with a package" above, and did not write "arbitrary packagers" or
"arbitrary users". I am presuming "knowledgeable people", who at least
are able to estimate the impact of a set of changes in cases of "urgent
security updates".
IMO, arbitrary users' karma are mostly worthless - in general. In most
cases, all these karma-votes are telling is "update doesn't immediately
let my system go up in flames".
> I'm not trying to disparage the kernel maintainers, but there's
> absolutely no way they can test all possible hardware before releasing
> an update.
>
> There's still value to the updates-testing repo, even for security
> updates.
Definitely. May-be I wasn't clear enough. I do not want to circumvent
updates-testing, but wanted to sketch a route to utilize updates-testing
even for urgent security updates.
> I agree we need to figure out ways to "grease the wheels" so that
> important updates get out faster, though.
The aspect I was referring to is "urgency". In this cases, IMO, it's
more than appropriate to ask those people who can be assumed to be best
knowledgeable (e.g. co-maintainers and/or a dedicated "security team")
to team up.
Of course, this all presumes "critical" packages (firefox, thunderbird,
kernel, glibc, ssh/ssl etc,) and updates have a team behind and aren't
soloist efforts.
Ralf
More information about the devel
mailing list