Hello,
First: we agreed that we don't want just any update using this --
it
should be for updates that are both critical and urgent. (Remote root
ssh exploit, anyone? *knock on wood*) So, we think it makes sense for
updates to be selected for this process by the security team. The
question is: who should that be exactly, and how should that group be
defined. (An existing FAS group? A special new one? Something else?)
FST members could handle this.
Second, a more technical matter. In order for an update to be
treated
specially, it will need something special in Bodhi. One relatively easy
way is to have the security person (from question #1) submit the
update, instead of the packager. (Or, possibly, in *addition* to the
packager submitting the update for the regular repositories.) Since
this is something that hopefully will happen a couple of times a year
(or less!), is that workable? Or, would it be better for the packager
to submit the update as normal, but provide some button or checkbox
available to the security team to escalate the update to the urgent
repo?
I think it should be okay for a packager to push such updates. Important
is to push them in time.
Third, any other questions or concerns?
Is this going to be a separate repository? How do we handle the testing/qa part
on urgent basis?
--- -P J P
http://feedmug.com