AutoQA: distro congestion?
Kevin Fenzi
kevin at scrye.com
Thu Apr 21 14:33:54 UTC 2011
On Thu, 21 Apr 2011 10:51:16 +0300
Axel Thimm <Axel.Thimm at ATrpms.net> wrote:
> On Wed, 2011-04-20 at 12:26 -0600, Kevin Fenzi wrote:
> > The various update streams flow differently. For a normal day,
> > EPEL4/5/6 might have about 2-20 updates. It might be practical to
> > look at all these for a quick glance. f14 (updates and testing) has
> > around 30-50ish. f13 has around 5-20, and f15 has too many to even
> > count. ;) It's just not at all practical to have the people signing
> > the updates look at each one for critera.
>
> Are all these security updates? I'm only arguing in favour of a
> fastlane method for security updates.
No, but the bodhi interface doesn't seperate them. You can push testing
or stable for each release, and it basically gives you a long list of
packages that are pending for those states. Then you sign them and push
them out. To review security ones we would have to have it seperate
them out, print out a url for each and have to review each one.
> The package in question may not be used by many people, but may have
> severe security implications. If the user count is low you will not
> find many or any users to karma it up, or even a proventester, OTOH
> the users that do have this package in operation will be exposed
> until the package sits off its time in testing - where probably no
> one will have given it a go anyway. You may also not want to
> advertise the security issues too loudly: You don't only attract
> testers that way, but also exploiters.
Sure, but it's always an issue with projects like Fedora. You commit a
fix to a security issue, someone watching commits can see it right
then, before the package is even built much less pushed to stable.
It might be nice if we had a group of testers specifically testing
security updates. That way they could check the CVE and commit and test
the package out to get them moved as quickly as possible. Not sure how
to create such a group however.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110421/10b35561/attachment.bin
More information about the devel
mailing list