[Mageia-dev] Update of backport, policy proposal

andre999 andr55 at laposte.net
Sat Jun 25 00:13:42 CEST 2011


Michael Scherer a écrit :
>
> This mail is about handling update on the backport repository. Either
> new version, or bugfix, or security upgrade.
>
> Everybody was focused on "should we do patch, or should we do more
> backport" issue, but the real problem is not really here.
>
> First, we have to decide what kind of update do we want to see, among
> the 3 types :
> - bugfixes
> - security bug fixes,
> - new version

For bugfixes and new versions, that are not known to have security implications, let's treat them 
essentially as new backports.
If the bug were locally reported, the reporter would be involved in the testing.
Such updates would be installed as any other backport.
However I would favour notifying those who have installed previous versions of these backports, of 
the availability of newer versions.
Maybe even having a backports updates category.  (But not to be installed automatically by default.)

For security issues, I'm not sure that it is important how we find out.
As far as responsibility, I think the main responibility should be by the packager, but it could be 
useful for the security team to monitor it, to find an alternate packager if necessary.
(Presumably from those who have tested or installed the package.)
(I don't know who monitors security issues now, I just assume the security team.)

However I think that such packages should be tested as normally for backports, and then treated as 
security updates, to be automatically applied.
This is because those who have installed the backport in question have decided to accept a higher 
degree of risk.  However a security issue can be a much greater risk, and is something that is 
normally resolved automatically.  So by installing a security bug fix automatically for a backport, 
we are essentially maintaining the level of risk already assumed by the user.


In summary :

In terms of testing, I see all backport updates as following the same process as for the initial 
backports.  (As outlined by misc in another thread.)

For non-security updates, I see essentially the same installation process as for initial backports.
Adding some form of notification to those who have installed a previous version of the backport in 
question.

For security updates, I see automatic installation as with any security update.

The treatment of these updates would depend on what is installed on the user's system, and not what 
repositories are selected.

In terms of monitoring security issues, why not use the same as for other packages ?

my 2 cents :)
-- 
André


More information about the Mageia-dev mailing list