On 5/31/11 6:38 PM, Karanbir Singh wrote:
On 06/01/2011 12:33 AM, Les Mikesell wrote:
can go wrong. My opinion is that it would be best to expose the initial release as 'test' quality and let a large number of people try it in a large number of environments - knowing that they should treat it as a test.
In which case, how would one estimate 'enough' people have used it and 'enough' people have said ok ? Or, in other words 'enough' people have not reported anything breaking for them.
Off the top of my head I'd say a few dozen people explicitly reporting a tested-good status or a few thousand downloads and a few days with no negative reports. Pretty hard to generalize since there are going to be code paths that are very rarely exercised. But, you have to trade the risk of pushing minimally-tested code against leaving known vulnerabilities exposed even if they are 'local' type exploits. I see an assortment of probes for application level vulnerabilities (struts, php, etc.) that simply post a success notice to a central site when they work, which is later followed with attempts to use that hole to send commands that try local privilege escalation - so I'm fairly nervous about vulnerabilities that have been published.
One of the reasons why we want to keep the Continuous Release repo on .centos.org machines is to be able to 'watch' log files...
How big of a problem will it be to update something that needs a rebuild without a version bump?