[Mageia-dev] RFC: Opening Backports (once again...)

Tue Jan 3 10:27:12 CET 2012

On Sunday, 11 December 2011 19:43:35 Florian Hubold wrote:
+\
+> 
+> Whatever the decision is, maybe we could tie this to some conditions:
+> Only allow backports if there are near-zero security/critical bugs for the
+> stable release or if there are no open bugs for the package in question?
+
+Well, my first question is, *who* is *responsible* for security updates? This 
+is not specified in the updates policy (the role assigned to build the 
+security update is named 'Maintainer (or any interested packager)', but who is 
+responsible for checking that we have all applicable updates? In Mandriva, it 
+was the responsibility of the security team (with cooperation from the 
+maintainer in some cases).
+
+At some stage we also need to look at providing vulnerability data in a 
+suitable format that supports automated validation (e.g. OVAL?), and a site 
+able to browse advisories.
+
+> Just some random crazy idea ...
+> 
+> IMHO we should focus on security and bugfixes for the stable release,
+> and there are currently too many security bugs open, some for a
+> really long time, where nothing is happening for months, yet we still
+> talk and concern about opening backports.
+
+FYI: the reason I have been slow on updates for Mageia is that I still have 
+systems running Mandriva, precisely because the bacports situation has not 
+been finalised, and I don't want to submit all missing packages in Mageia 1 to 
+updates. Once backports is open, I can drop some Mandriva packages, and spend 
+more time contributing to Mageia.
+
+So, you can't necessarily say that backports steals time from updates ...
+
+Regards,
+Buchan
+