[CentOS-devel] CentOS-[56] Continous Release

Wed Jun 1 05:16:21 UTC 2011
Les Mikesell <lesmikesell at gmail.com>

On 5/31/11 6:38 PM, Karanbir Singh wrote:
> On 06/01/2011 12:33 AM, Les Mikesell wrote:
>> can go wrong.  My opinion is that it would be best to expose the initial
>> release as 'test' quality and let a large number of people try it in a
>> large number of environments - knowing that they should treat it as a test.
>
> In which case, how would one estimate 'enough' people have used it and
> 'enough' people have said ok ? Or, in other words 'enough' people have
> not reported anything breaking for them.

Off the top of my head I'd say a few dozen people explicitly reporting a 
tested-good status or a few thousand downloads and a few days with no negative 
reports.  Pretty hard to generalize since there are going to be code paths that 
are very rarely exercised.  But, you have to trade the risk of pushing 
minimally-tested code against leaving known vulnerabilities exposed even if they 
are 'local' type exploits.  I see an assortment of probes for application level 
vulnerabilities (struts, php, etc.) that simply post a success notice to a 
central site when they work, which is later followed with attempts to use that 
hole to send commands that try local privilege escalation - so I'm fairly 
nervous about vulnerabilities that have been published.

> One of the reasons why we want to keep the Continuous Release repo on
> .centos.org machines is to be able to 'watch' log files...

How big of a problem will it be to update something that needs a rebuild without 
a version bump?

-- 
   Les Mikesell
    lesmikesell at gmail.com