[CentOS-devel] CentOS-[56] Continous Release
Les Mikesell
lesmikesell at gmail.com
Wed Jun 22 16:26:48 UTC 2011
On 6/22/2011 4:17 AM, Ljubomir Ljubojevic wrote:
>
>> I'd expect it to be common for the kernels and probably glibc's included with a
>> point release or soon thereafter to include security fixes. If you push those,
>> you have the biggest risk of affecting everything else - so what's the point of
>> isolating the rest?
>>
> All I can see is you pushing extreme case scenario on something that is
> good will of the devs to lower aggravation of people waiting for point
> release to be completed, with agenda to push for 2-days delay between
> upstream and CentOS point releases, knowing it can not physically
> happen. It's like watching my 2-years old nephew screaming for his
> bottle of milk even tho he can see his mother pouring it just in front
> of him.
> The packages that **can** be released faster *will* be released faster,
> those that could brake things will be held back, it is simple as that,
> at least in my book.
It's speculation at this point, but I think security fixes in the kernel
and major libs are to be expected instead of being some extreme case,
and those are precisely the most likely things that would cause
something to break if done incorrectly. The point of planning the early
release concept in the first place should be to get these fixes out to
the people who otherwise become targets of well-known exploits and
rootkits. Assume, for example, that another flaw is found in php or a
web app that allows remote command execution, and another glibc flaw
like the one recently fixed that allowed root escalation if you could
make a symlink to a suid file. Now assume that the fixes for these
vulnerabilities comes in or immediately after the point release. That
scenario seems normal, expected, and what the early release planning
should be all about instead of holding these back until a working
ananconda and iso layout is ready and tested.
> I will even dare to speculate that main reason for people to opt-in for
> CR repo will be so they can see how many packages are finished and to
> see packages coming out so they do not freak out without a visible
> progress. Side affect will be that some of them will be able to busy
> them selfs with comparing against upstream packages.
I think this is unlikely - unless they are unaware of the pending
security issues, don't watch the news, and never look at their logs - or
don't have an internet connection.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS-devel
mailing list