1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] Update of backport, policy proposal
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Update%20of%20backport%2C%20policy%20proposal&In-Reply-To=%3C4E050C16.3090403%40laposte.net%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="006001.html">
<LINK REL="Next" HREF="006022.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] Update of backport, policy proposal</H1>
<B>andre999</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Update%20of%20backport%2C%20policy%20proposal&In-Reply-To=%3C4E050C16.3090403%40laposte.net%3E"
TITLE="[Mageia-dev] Update of backport, policy proposal">andr55 at laposte.net
</A><BR>
<I>Sat Jun 25 00:13:42 CEST 2011</I>
<P><UL>
<LI>Previous message: <A HREF="006001.html">[Mageia-dev] Update of backport, policy proposal
</A></li>
<LI>Next message: <A HREF="006022.html">[Mageia-dev] Update of backport, policy proposal
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#6002">[ date ]</a>
<a href="thread.html#6002">[ thread ]</a>
<a href="subject.html#6002">[ subject ]</a>
<a href="author.html#6002">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Michael Scherer a écrit :
><i>
</I>><i> This mail is about handling update on the backport repository. Either
</I>><i> new version, or bugfix, or security upgrade.
</I>><i>
</I>><i> Everybody was focused on "should we do patch, or should we do more
</I>><i> backport" issue, but the real problem is not really here.
</I>><i>
</I>><i> First, we have to decide what kind of update do we want to see, among
</I>><i> the 3 types :
</I>><i> - bugfixes
</I>><i> - security bug fixes,
</I>><i> - new version
</I>
For bugfixes and new versions, that are not known to have security implications, let's treat them
essentially as new backports.
If the bug were locally reported, the reporter would be involved in the testing.
Such updates would be installed as any other backport.
However I would favour notifying those who have installed previous versions of these backports, of
the availability of newer versions.
Maybe even having a backports updates category. (But not to be installed automatically by default.)
For security issues, I'm not sure that it is important how we find out.
As far as responsibility, I think the main responibility should be by the packager, but it could be
useful for the security team to monitor it, to find an alternate packager if necessary.
(Presumably from those who have tested or installed the package.)
(I don't know who monitors security issues now, I just assume the security team.)
However I think that such packages should be tested as normally for backports, and then treated as
security updates, to be automatically applied.
This is because those who have installed the backport in question have decided to accept a higher
degree of risk. However a security issue can be a much greater risk, and is something that is
normally resolved automatically. So by installing a security bug fix automatically for a backport,
we are essentially maintaining the level of risk already assumed by the user.
In summary :
In terms of testing, I see all backport updates as following the same process as for the initial
backports. (As outlined by misc in another thread.)
For non-security updates, I see essentially the same installation process as for initial backports.
Adding some form of notification to those who have installed a previous version of the backport in
question.
For security updates, I see automatic installation as with any security update.
The treatment of these updates would depend on what is installed on the user's system, and not what
repositories are selected.
In terms of monitoring security issues, why not use the same as for other packages ?
my 2 cents :)
--
André
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="006001.html">[Mageia-dev] Update of backport, policy proposal
</A></li>
<LI>Next message: <A HREF="006022.html">[Mageia-dev] Update of backport, policy proposal
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#6002">[ date ]</a>
<a href="thread.html#6002">[ thread ]</a>
<a href="subject.html#6002">[ subject ]</a>
<a href="author.html#6002">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
