Drawing lessons from fatal SELinux bug #1054350
mschwendt at gmail.com
Sat Jan 25 19:28:43 UTC 2014
On Sat, 25 Jan 2014 19:17:14 +0100, Kevin Kofler wrote:
> > By the time the first testers noticed the scriptlet errors it was too
> > late, since stable updates cannot be withdrawn.
> That is also not a law of Physics. In the early days of Bodhi, one could
> actually unpush stuff from stable.
Pointing that out doesn't make a difference. Obviously, I don't refer
to technical contraints. Even before bodhi, e.g., the Fedora Extras signers
could modify the master repo in an emergency situation.
> Having stable updates become immutable is purely a policy decision.
> Withdrawing faulty updates has been done in the
> past (even after Bodhi stopped allowing it in the normal case; the pulling
> has then been done by an admin) and should be done again. Of course it won't
> fix the systems that already got upgraded, but it will (within mirroring
> delays) stop MORE systems from getting affected (and those that did already
> get the faulty update won't notice the difference, unless they distro-sync,
> in which case withdrawing the update actually fixes them, so in no case does
> it make things worse for them).
Not sure that can be generalised. Distro-sync may downgrade packages.
We don't test downgrades of packages (scriptlets e.g.), and we don't test
downgrades of software either. We can't be sure downgraded software can
restore state at runtime after a previous upgrade may have touched
(= converted, renamed or replaced) config files or database files.
Downgrades could also affect dependencies and may make it necessary
to have a system update tool run distro-sync automatically. There are
enough users already, who play too much with --skip-broken instead of
reporting uninstallable updates/packages quickly.
More information about the devel