[Fedora-packaging] critical path security update policy

Michael Schwendt mschwendt at gmail.com
Mon Apr 20 21:30:42 UTC 2015 

On Mon, 20 Apr 2015 22:51:49 +0200, Jerry Bratton wrote:

> >Check out the bodhi ticket! In particular the automated comment from
> >2015-04-18. With the next push it will appear in the updates repo. That
> >is not a matter of minutes, because AFAIK the release process is not fully
> >automatic [yet] and triggered by an admin.
> >
> >Btw, 18 minus 7 is not 17. And IMO you're getting unfair, if you don't
> >take into account the time it takes for package maintainers to prepare
> >updates.
> 
> Today is April 20th. Mozilla released the fix April 3rd. Twenty minus three is seventeen.
>

Look at http://koji.fedoraproject.org/koji/packageinfo?packageID=37

Do you want to extend your complaints, because it has taken a few days for
packages to be ready to begin with? April 4th and 5th was a weekend. Build system
lists builds made on April 7th. Update system lists updates entered on April 7th.
That corrects the numbers a bit.

> This is intended to be a discussion about how to reduce the time it takes for security updates to reach users.
>

Currently, as a minimum, positive feedback from _two_ testers can lead
to a security update being released very quickly.  Provided that there
is the man-power to prepare builds quickly and enter them in the
updates system quickly. Possibly even during weekends. ;-)

> The figure of 17 reflects the time so far it has taken for this fix on
> Fedora's end.

Look at https://admin.fedoraproject.org/updates/search/firefox

Notice the "Karma" column. Notice the corresponding security update for
Fedora 21. Click on it. Watch the votes and comments.

> I am not trying to be "unfair," I am simply pointing out
> the reality.

Reality could be that Fedora 20 doesn't get as much love anymore as
Fedora 21, does it? Else there would have been one more tester to care
about this security update. Users/testers may have moved on to Fedora 21
or Fedora 22 Alpha/Beta.

> There are any number of bottlenecks that have already
> been mentioned in this thread which are contributing to the 17 day
> wait at Fedora. The 2 day wait (so far) since this was marked stable
> is yet another example. It is my feeling that there is room for
> improvement, which is why I initiated this dialog to explore in what
> ways the process may be improved.

Sure there is room for improvement. That applies to many other areas
as well. I've pointed out how *you* could make a difference _today_ by
speeding up the release of an update rather than sitting and waiting for
others to do all the work.

More information about the packaging mailing list