FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 03-01-2010, 08:38 AM
"Nicolas Mailhot"
 
Default FESCo wants to ban direct stable pushes in Bodhi (urgent call for feedback)

Le Dim 28 février 2010 17:24, Adam Williamson a écrit :
>
> On Sun, 2010-02-28 at 11:43 +0100, Nicolas Mailhot wrote:
>
>> There are things only packagers can fix. Everything else should be
>> handled by tools so packagers can focus on the parts where they add real
>> value. If a process change puts more burden on all packagers because
>> it's easier to ask packagers to do stuff than fix tools, it's a bad
>> process change. And yes I accept than in some cases not burdening
>> packagers means increasing the chance for some problems. Perfection is
>> the ennemy of good.
>
> This is a wonderful sentiment. How does it apply to the current
> situation, exactly? What 'tools' is it you're saying are not fixed?

Clearly, bohdi/bugzilla/pk interaction is not good enough to collect the kind
of feedback needed for the karma system to work. And bohdi should get smarter
about identifying packages that need this feedback. Critical path is a good
first approximation but what would really help is some heuristic about how
much breakage a bad package can cause : how many other packages depend on it
(dependency metrics), how long is has lived (has it been in Fedora for years
of imported the week before), was it even in the default install for some
people, etc.

testing is not really operational right now so the main value of forcing
people to use testing is to make the process painful enough they are less
update-happy. I don't think we should ever aim to make any part of the process
painful. This is an anti-feature.

--
Nicolas Mailhot


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-02-2010, 11:34 PM
Björn Persson
 
Default FESCo wants to ban direct stable pushes in Bodhi (urgent call for feedback)

Adam Williamson wrote:
> you can try and cherry-pick security updates, but then you get the
> problem where initial release has Foobar 1.0, then Foobar 3.5 gets
> shipped in updates, then a security problem emerges and Foobar 3.5-2
> with the security fix gets shipped in updates. You now have a choice of
> unsecure Foobar 1.0, or completely new version Foobar 3.6.

There's also the other variant where a security problem is found in Foobar 1.0
but the problem isn't present in Foobar 3.0 and later. Upstream still supports
the 1.0 branch and releases Foobar 1.0.4 to fix the problem, but no security
update is released for Fedora since there is no problem in the latest Fedora
package. The Fedora user who chose not to upgrade Foobar won't even know that
there is a security problem.

Björn Persson
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-03-2010, 05:25 AM
James Antill
 
Default FESCo wants to ban direct stable pushes in Bodhi (urgent call for feedback)

On Wed, 2010-03-03 at 01:34 +0100, Björn Persson wrote:
> Adam Williamson wrote:
> > you can try and cherry-pick security updates, but then you get the
> > problem where initial release has Foobar 1.0, then Foobar 3.5 gets
> > shipped in updates, then a security problem emerges and Foobar 3.5-2
> > with the security fix gets shipped in updates. You now have a choice of
> > unsecure Foobar 1.0, or completely new version Foobar 3.6.
>
> There's also the other variant where a security problem is found in Foobar 1.0
> but the problem isn't present in Foobar 3.0 and later. Upstream still supports
> the 1.0 branch and releases Foobar 1.0.4 to fix the problem, but no security
> update is released for Fedora since there is no problem in the latest Fedora
> package. The Fedora user who chose not to upgrade Foobar won't even know that
> there is a security problem.

This isn't a hard problem, 3.0 should then be marked as a security
update. Sure it sucks that you have to go from 1.0.4 to 3.0, and
presumably a lot will change, but that's Fedora.
On the other hand if "yum --security update" does not fix the known
security problems on your system, that's a huge exploit waiting to
happen ... and one I doubt any users know about.
I've sent a query to security@ to clarify.

--
James Antill - james@fedoraproject.org
http://yum.baseurl.org/wiki/releases
http://yum.baseurl.org/wiki/whatsnew/3.2.27
http://yum.baseurl.org/wiki/YumMultipleMachineCaching
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-03-2010, 06:57 AM
Adam Williamson
 
Default FESCo wants to ban direct stable pushes in Bodhi (urgent call for feedback)

On Wed, 2010-03-03 at 01:25 -0500, James Antill wrote:
> On Wed, 2010-03-03 at 01:34 +0100, Björn Persson wrote:
> > Adam Williamson wrote:
> > > you can try and cherry-pick security updates, but then you get the
> > > problem where initial release has Foobar 1.0, then Foobar 3.5 gets
> > > shipped in updates, then a security problem emerges and Foobar 3.5-2
> > > with the security fix gets shipped in updates. You now have a choice of
> > > unsecure Foobar 1.0, or completely new version Foobar 3.6.
> >
> > There's also the other variant where a security problem is found in Foobar 1.0
> > but the problem isn't present in Foobar 3.0 and later. Upstream still supports
> > the 1.0 branch and releases Foobar 1.0.4 to fix the problem, but no security
> > update is released for Fedora since there is no problem in the latest Fedora
> > package. The Fedora user who chose not to upgrade Foobar won't even know that
> > there is a security problem.
>
> This isn't a hard problem, 3.0 should then be marked as a security
> update. Sure it sucks that you have to go from 1.0.4 to 3.0, and
> presumably a lot will change, but that's Fedora.
> On the other hand if "yum --security update" does not fix the known
> security problems on your system, that's a huge exploit waiting to
> happen ... and one I doubt any users know about.
> I've sent a query to security@ to clarify.

I wasn't suggesting that's what happens in Fedora at present, just that
- given a single update stream in which it's perfectly fine for
'security' updates to build on 'feature' updates - it's impossible to
cherry pick only security updates. So even though Fedora categorizes
updates, you can't actually run Fedora and only take the minimal changes
that some people consider an appropriate update set.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-03-2010, 02:31 PM
James Antill
 
Default FESCo wants to ban direct stable pushes in Bodhi (urgent call for feedback)

On Tue, 2010-03-02 at 23:57 -0800, Adam Williamson wrote:

> I wasn't suggesting that's what happens in Fedora at present, just that
> - given a single update stream in which it's perfectly fine for
> 'security' updates to build on 'feature' updates - it's impossible to
> cherry pick only security updates.

This is Fedora. Security updates can come with new features, that's
life. You can have zero updates for a package, and then do a rebase to
fix a security problem and also Require: the latest versions of
everything else in updates for all I care.
The security problem is _fixed_ though, so your system is secure, and
that's all that --security guarantees (and it has made "minimal"
updates, it's just that "minimal" is bigger than with say RHEL/CentOS).

--
James Antill - james@fedoraproject.org
http://yum.baseurl.org/wiki/releases
http://yum.baseurl.org/wiki/whatsnew/3.2.27
http://yum.baseurl.org/wiki/YumMultipleMachineCaching
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 03:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org