Urgent security updates process proposal

Kevin Fenzi kevin at scrye.com
Mon Apr 13 17:58:10 UTC 2015 

Greetings. 

Releng (and others) have been discussing a process for handing 'urgent
security updates'. ie, critical security flaws that need to go out
quickly. 

I proposed something in the releng ticket where we have been discussing
this and we thought this might be a good time to talk to QA folks and
get any feedback before we move any further with it. 

 prereqs:

 * bodhi adds fedora-urgent-NN setups. It's mash config has no drpms.
 Possibly it's interface doesn't even show this product if there are 0
 updates in it (which should be the normal state). 

 * fedora-release-repos pushes out a version with a new fedora-urgent-
 updates and fedora-urgent-updates-testing repos. They use metalinks and
 normally point to a empty repo.

 Process:

 * Maintainer(s) follow the normal update process. Build in koji, submit
 update to bodhi, etc.

 * They submit a releng ticket asking for the update to be in urgent
 updates.

 * If approved, releng submits the update(s) to the urgent-updates
   product, signs them and pushes them to testing. atomic trees are
   also updated at this point. 

 * The repo is synced to a urgent-updates-testing repo and must get +3
 karma to pass this point.

 * On stable karma the update(s) are pushed to the urgent-updates repo
   and synced out.

 * Mirrormanager is poked to update the repodata and metalink, which at
 first just points to master mirrors, but over time as more sync adds
   more mirrors.

 * After the update goes to stable in normal updates + 1 week, the
   urgent updates repo is cleared out and empty repo is pushed out.

 comments:

 * This will be faster that current setup because it can be done
 independenty of normal updates pushes, the repos will be very small
 (mashing should take very little time), there are no drpms, etc.

 * The longest times here will be mirrormanager noticing the updated
   repos, and the human steps like noticing the ticket, pushing the
   updates, testing the updates, etc.

 * We really do need mirrormanager here unless we want all users to
   always hit master mirrors empty repo (which some may see as a way to
   track or count them). Also, we really want a metalink as it's much
   better than a baseurl.

 * We need bodhi here to have sanity checks like all rpms signed,
   repodata has security update info for security plugins, etc.

 Issues:

 * Is a releng ticket right to ask for this? Who approves it and how?

 * Is this going to be fast enough to make it worth while?

 * Is there a way to reduce waiting for humans here without bypassing
   some important checking?

Feedback welcome here or if you want, the releng ticket: 

https://fedorahosted.org/rel-eng/ticket/5886

Thanks, 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/test/attachments/20150413/afa48a34/attachment.sig>

More information about the test mailing list