[Fedora-packaging] critical path security update policy

Björn Persson Bjorn at xn--rombobjrn-67a.se
Sun Apr 19 16:06:25 UTC 2015 

Jerry Bratton wrote:
> Voting on this one particular update would not help to address the
> larger problem I'm seeing that many security updates take several
> days or even weeks to reach users. The issue is more pronounced in
> F20 than F21 or F22, presumably because there is more interest in
> testing the later releases, but the issue is there nonetheless.

I think you're beginning to get at the actual issue: a lack of interest
in testing. Updates could get out much faster if more users would help
testing them.

> Even if I were to vote on security updates
> that I noticed were taking a long time in testing, there's still the
> probability that there are many other security updates stuck in
> testing for a long time that I never know about, leaving my system
> vulnerable.

You could address that for yourself by enabling the updates-testing
repository. Then you'll get all the latest updates in testing every
time you update. If you don't want to do that, then it's presumably
because you want the updates you install to be tested. But you seem to
find untested updates acceptable if they're security-related. What if
you could install only security updates from testing and put off other
updates until they go stable?

(Installing only security updates and no other updates isn't a very good
idea, because a general version upgrade or bugfix update may later be
found to have fixed some security issue, and then an update that has
already been pushed won't get tagged as a security update after the
fact. But installing security updates from testing and other updates
when they go stable would make sense.)

Being a tester in Fedora seems to be rather all-or-nothing. The only
easy way to test updates that I know of is to run with updates-testing
enabled. By doing that one takes substantial risks and gets none of the
benefit of tested packages. Those who are willing to do that aren't
likely to use F20 updates-testing; they're probably using F22 by now.

I think more users might help with the testing if they could test only
a few packages that they care particularly about. There seems to be a
need for an easy way to find out when there are updates in testing of
packages one uses frequently, and to selectively install such packages
without installing the rest of updates-testing. If such a thing exists,
then it hasn't been announced widely enough for me to notice it in my
eleven years as a user and five years as a packager. The way I find out
about updates is the package-announce mailing list, where they're
announced only when they're pushed to stable.

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signatur
URL: <http://lists.fedoraproject.org/pipermail/packaging/attachments/20150419/adc7454c/attachment.sig>

More information about the packaging mailing list