Urgent security updates process proposal
Kevin Fenzi
kevin at scrye.com
Mon Apr 13 17:58:10 UTC 2015
Greetings.
Releng (and others) have been discussing a process for handing 'urgent
security updates'. ie, critical security flaws that need to go out
quickly.
I proposed something in the releng ticket where we have been discussing
this and we thought this might be a good time to talk to QA folks and
get any feedback before we move any further with it.
prereqs:
* bodhi adds fedora-urgent-NN setups. It's mash config has no drpms.
Possibly it's interface doesn't even show this product if there are 0
updates in it (which should be the normal state).
* fedora-release-repos pushes out a version with a new fedora-urgent-
updates and fedora-urgent-updates-testing repos. They use metalinks and
normally point to a empty repo.
Process:
* Maintainer(s) follow the normal update process. Build in koji, submit
update to bodhi, etc.
* They submit a releng ticket asking for the update to be in urgent
updates.
* If approved, releng submits the update(s) to the urgent-updates
product, signs them and pushes them to testing. atomic trees are
also updated at this point.
* The repo is synced to a urgent-updates-testing repo and must get +3
karma to pass this point.
* On stable karma the update(s) are pushed to the urgent-updates repo
and synced out.
* Mirrormanager is poked to update the repodata and metalink, which at
first just points to master mirrors, but over time as more sync adds
more mirrors.
* After the update goes to stable in normal updates + 1 week, the
urgent updates repo is cleared out and empty repo is pushed out.
comments:
* This will be faster that current setup because it can be done
independenty of normal updates pushes, the repos will be very small
(mashing should take very little time), there are no drpms, etc.
* The longest times here will be mirrormanager noticing the updated
repos, and the human steps like noticing the ticket, pushing the
updates, testing the updates, etc.
* We really do need mirrormanager here unless we want all users to
always hit master mirrors empty repo (which some may see as a way to
track or count them). Also, we really want a metalink as it's much
better than a baseurl.
* We need bodhi here to have sanity checks like all rpms signed,
repodata has security update info for security plugins, etc.
Issues:
* Is a releng ticket right to ask for this? Who approves it and how?
* Is this going to be fast enough to make it worth while?
* Is there a way to reduce waiting for humans here without bypassing
some important checking?
Feedback welcome here or if you want, the releng ticket:
https://fedorahosted.org/rel-eng/ticket/5886
Thanks,
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/test/attachments/20150413/afa48a34/attachment.sig>
More information about the test
mailing list