Drawing lessons from fatal SELinux bug #1054350

Kevin Kofler kevin.kofler at chello.at
Sat Jan 25 18:17:14 UTC 2014

Michael Schwendt wrote:
> By the time the first testers noticed the scriptlet errors it was too
> late, since stable updates cannot be withdrawn.

That is also not a law of Physics. In the early days of Bodhi, one could 
actually unpush stuff from stable. Having stable updates become immutable is 
purely a policy decision. Withdrawing faulty updates has been done in the 
past (even after Bodhi stopped allowing it in the normal case; the pulling 
has then been done by an admin) and should be done again. Of course it won't 
fix the systems that already got upgraded, but it will (within mirroring 
delays) stop MORE systems from getting affected (and those that did already 
get the faulty update won't notice the difference, unless they distro-sync, 
in which case withdrawing the update actually fixes them, so in no case does 
it make things worse for them).

And I don't see any valid reason why stable updates cannot simply be 
withdrawn or sent back to testing by the maintainer. The update notes should 
also remain editable, so that bug references can be added when the bug was 
only found to be fixed after the stable push, errors in the update 
description can be fixed, etc.

        Kevin Kofler

More information about the devel mailing list