From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2011-June/006002.html | 162 +++++++++++++++++++++++++++++++ 1 file changed, 162 insertions(+) create mode 100644 zarb-ml/mageia-dev/2011-June/006002.html (limited to 'zarb-ml/mageia-dev/2011-June/006002.html') diff --git a/zarb-ml/mageia-dev/2011-June/006002.html b/zarb-ml/mageia-dev/2011-June/006002.html new file mode 100644 index 000000000..14e8c4e6c --- /dev/null +++ b/zarb-ml/mageia-dev/2011-June/006002.html @@ -0,0 +1,162 @@ + + + + [Mageia-dev] Update of backport, policy proposal + + + + + + + + + +

[Mageia-dev] Update of backport, policy proposal

+ andre999 + andr55 at laposte.net +
+ Sat Jun 25 00:13:42 CEST 2011 +

+
+ +
Michael Scherer a écrit :
+>
+> This mail is about handling update on the backport repository. Either
+> new version, or bugfix, or security upgrade.
+>
+> Everybody was focused on "should we do patch, or should we do more
+> backport" issue, but the real problem is not really here.
+>
+> First, we have to decide what kind of update do we want to see, among
+> the 3 types :
+> - bugfixes
+> - security bug fixes,
+> - new version
+
+For bugfixes and new versions, that are not known to have security implications, let's treat them 
+essentially as new backports.
+If the bug were locally reported, the reporter would be involved in the testing.
+Such updates would be installed as any other backport.
+However I would favour notifying those who have installed previous versions of these backports, of 
+the availability of newer versions.
+Maybe even having a backports updates category.  (But not to be installed automatically by default.)
+
+For security issues, I'm not sure that it is important how we find out.
+As far as responsibility, I think the main responibility should be by the packager, but it could be 
+useful for the security team to monitor it, to find an alternate packager if necessary.
+(Presumably from those who have tested or installed the package.)
+(I don't know who monitors security issues now, I just assume the security team.)
+
+However I think that such packages should be tested as normally for backports, and then treated as 
+security updates, to be automatically applied.
+This is because those who have installed the backport in question have decided to accept a higher 
+degree of risk.  However a security issue can be a much greater risk, and is something that is 
+normally resolved automatically.  So by installing a security bug fix automatically for a backport, 
+we are essentially maintaining the level of risk already assumed by the user.
+
+
+In summary :
+
+In terms of testing, I see all backport updates as following the same process as for the initial 
+backports.  (As outlined by misc in another thread.)
+
+For non-security updates, I see essentially the same installation process as for initial backports.
+Adding some form of notification to those who have installed a previous version of the backport in 
+question.
+
+For security updates, I see automatic installation as with any security update.
+
+The treatment of these updates would depend on what is installed on the user's system, and not what 
+repositories are selected.
+
+In terms of monitoring security issues, why not use the same as for other packages ?
+
+my 2 cents :)
+-- 
+André
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1