From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2011-June/006022.html | 169 +++++++++++++++++++++++++++++++ 1 file changed, 169 insertions(+) create mode 100644 zarb-ml/mageia-dev/2011-June/006022.html (limited to 'zarb-ml/mageia-dev/2011-June/006022.html') diff --git a/zarb-ml/mageia-dev/2011-June/006022.html b/zarb-ml/mageia-dev/2011-June/006022.html new file mode 100644 index 000000000..e0e900272 --- /dev/null +++ b/zarb-ml/mageia-dev/2011-June/006022.html @@ -0,0 +1,169 @@ + + + + [Mageia-dev] Update of backport, policy proposal + + + + + + + + + +

[Mageia-dev] Update of backport, policy proposal

+ Michael Scherer + misc at zarb.org +
+ Sun Jun 26 01:04:38 CEST 2011 +

+
+ +
Le vendredi 24 juin 2011 à 18:13 -0400, andre999 a écrit :
+> Michael Scherer a écrit :
+> >
+> > This mail is about handling update on the backport repository. Either
+> > new version, or bugfix, or security upgrade.
+> >
+> > Everybody was focused on "should we do patch, or should we do more
+> > backport" issue, but the real problem is not really here.
+> >
+> > First, we have to decide what kind of update do we want to see, among
+> > the 3 types :
+> > - bugfixes
+> > - security bug fixes,
+> > - new version
+> 
+> For bugfixes and new versions, that are not known to have security implications, let's treat them 
+> essentially as new backports.
+> If the bug were locally reported, the reporter would be involved in the testing.
+> Such updates would be installed as any other backport.
+> However I would favour notifying those who have installed previous versions of these backports, of 
+> the availability of newer versions.
+
+The question is "how". 
+
+> Maybe even having a backports updates category.  (But not to be installed automatically by default.)
+> 
+> For security issues, I'm not sure that it is important how we find out.
+> As far as responsibility, I think the main responibility should be by the packager, but it could be 
+> useful for the security team to monitor it, to find an alternate packager if necessary.
+> (Presumably from those who have tested or installed the package.)
+> (I don't know who monitors security issues now, I just assume the security team.)
+> 
+> However I think that such packages should be tested as normally for backports, and then treated as 
+> security updates, to be automatically applied.
+
+If we place it in a repository that is enabled by default, we will
+basically do a version upgrade for every people that have it enabled.
+
+If this is updates, this would violate our own policy.
+
+If we place in backports, it is not enabled by default.
+
+> This is because those who have installed the backport in question have decided to accept a higher 
+> degree of risk.  However a security issue can be a much greater risk, and is something that is 
+> normally resolved automatically.  So by installing a security bug fix automatically for a backport, 
+> we are essentially maintaining the level of risk already assumed by the user.
+
+So that basically mean "unsupported".
+
+There is even more tricky problems :
+Let's take a software that release soon, release often. Let's say a voip
+software.
+
+Someone install version 1.0 from release. So far, so good, but he hear
+that 1.1 is out, and he install it from backport ( after requesting ).
+He is satisfied, then the developers of our voip software decide to
+create a version 2.0, with a completely new interface but the ui is yet
+unfinished and untranslated, so our user cannot use it. Yet, someone
+request a backport, and let's assume we do it.
+
+With our current scheme, our user will not be affected and he doesn't
+want to upgrade. So he keep the version 1.1.
+
+A security issue is discovered, in 1.X and 2.X. 
+
+1.0-2 is sent to release update, with security fix.
+2.1 is sent to backport, as the packager follow the list.
+
+What should be done for the user :
+Force upgrade to the next major release ? 
+Ask him to revert to release update ? 
+Tell him "this is not supported" ?
+
+Or maybe we should not have upgraded to 2.0 if we knew that current user
+would refuse it ?
+
+-- 
+Michael Scherer
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1