On 7/21/2011 9:47 AM, Alan Bartlett wrote:
On 21 July 2011 15:03, Karanbir Singhmail-lists@karan.org wrote:
Opinions on what would be a good time to announce rpms that make it into the CR/ repo's ? As we build through 5.7 and 6.1, and start pushing the packages into the CR/ repo, should we also be announcing those updates ? On one hand it seems like the best time to announce it since the rpms are available - however they are only available to people who specifically opt into the CR/ process, so perhaps the best time to announce them would be when the rpms are in the os ( or updates/ ) repos in the next release.
My feeling is that an announcement should only be made when the packages are finally available from either the os/ or updates/ repositories. Those of us who feel so inclined to use packages from the proposed cr/ repo. will have the technical expertise to evaluate the repository's contents on a daily basis (or any other frequency so desired).
The important thing to know is when published CVE's are fixed upstream so you can judge how important the vulnerability is to your system's exposure and how soon you have to do something about it. Whether that involves the CR repos or something else, it is a CentOS-specific risk we are all taking.