On 20.12.2007 16:05, Michael Schwendt wrote:
On Thu, 20 Dec 2007 08:41:24 +0100, Thorsten Leemhuis wrote:
[...] there are currently up to four (or even more) days between pushes afaics (the last one right now for example was on 15 December 2007):
- for normal updates that's not a problem, but I think four days are a
to long delay for updates that fix security issues.
If that is true,
Not sure, but the number of security updates in one push looks a bit odd now and then; take for example
https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3308
Fixes multiple CVEs, but seems it took round about 7 days from build to the proper repos. The maintainer might be responsible for parts of this timeframe -- but it looks like it took 2 days from koji/bodhi creation to testing, and five from testing to stable.
then wtf is the purpose of the "security" check-box in bodhi if it doesn't inform release engineers about the necessity to push a security related update?
I suppose part of the reason is to add a [SECURITY] to the subject and mark it properly in the metadata.
[...]
And, BTW, what's exactly the problem with "moving target for all mirrors"? There were (are?) yum problems iirc (¹), but I suppose we can fix them if we want?
If the master site is modified too often, the window, during which mirrors can sync a complete set [*] of changes, becomes smaller. I guess Matt Domsch can tell how often mirrors sync on average.
But one the other hand pushing a lot more packages at once makes the dataset bigger, which makes the windows smaller for that sync. But I don't care much.
(¹) -- downloading metadata from one mirror, download error on it, switching to another mirror that has even new push where the file yum tries to download is already is gone again
That's one of the problems. Files not found, persistent metadata checksum errors (older repomd.xml from previous mirror in conjunction with newer metadata from other mirrors), users seeing update announcements but tools not seeing the updates [yet].
Yeah, I've seen it as well. Should we file bugs (or are there bugs about it already?)? skvidal?
And last but not least, do you like being notified about system updates daily?
If they are security or otherwise relevant: yes. Queuing the other stuff for a once-a-week-push might be okay to the stable repos (but testing more often would be nice).
First there's a series of minor version updates for some package, then upstream releases the next stable major version, and the packager smacks his lips because it's so exiciting to push that hot new stuff to Fedora 7+8+development instead of giving it time to test it in development.
+1
CU knurd