security update process failure

[Chuck Anderson]

On Sun, Sep 04, 2011 at 05:34:43PM -0700, Adam Williamson wrote:
> On Sun, 2011-09-04 at 23:01 +0200, Karsten Hopp wrote:
> > Hi !
> > 
> > 
> > I'd call it a failure when a security update for a critical path package gets stuck in 
> > -updates-testing for 6 weeks. I'm talking about the F14 libcap update, where only one 
> > proventester cared to test the updated package and commented on it.
> > Sure, it is only a minor security issue, but shouldn't security updates have priority in 
> > testing over any pet packages you have ?
> > Security updates certainly take preference for me as I'm trying to get them submitted as 
> > early as possible. But when a package sits in -testing for such a long time I need to ask 
> > myself why I should bother with doing timely security updates at all.
> 
> The problem is really that not enough people test old releases. Barely
> any proventesters are on F14. If you look it's hardly just your update
> that's waiting on karma, there are quite a few waiting for F14.
> 
> I've had 'do f14 karma' on my todo list for about a week and a half, but
> f16 keeps eating the time.
> 
> I've mentioned this several times and floated a few ideas to fix it (as
> have others), but they haven't really gone anywhere. I haven't seen any
> indication that FESCo (which defined the update requirements - it's not
> a QA thing) considers it a big problem.

I need guidance.  I've installed the F14 libcap from updates-testing.
I have no idea if it works or how to test it--it doesn't appear to
"break" anything as far as normal operation of my system.  Is that
good enough to give +1 karma to the package?  If not, it would be
helpful for the maintainer would put instructions in the update text
saying how to test the update.

So, I guess what I'm asking is, is it ok to give +1 to any/all
packages if they work at all/we don't notice any regressions, or do we
have to actually test what they are supposed to fix?

Thanks.