On 5/7/07, Johnny Hughes mailing-lists@hughesjr.com wrote:

On Mon, 2007-05-07 at 12:57 -0700, Akemi Yagi wrote:

...

CentOS developers,

Could someone take a look at this? It was posted on the CentOS Forum by bdaniels. Apparently this security update came out on May 1, but not all versions have been made available for CentOS.

Akemi

=== Forum posting by bdaniels ===

Well, the announce list has been posting them:

[CentOS-announce] CESA-2007:0257 Low CentOS 4 s390(x) openssh - security update 05/04/2007 06:44 PM

CentOS Errata and Security Advisory 2007:0257

https://rhn.redhat.com/errata/RHSA-2007-0257.html

But only for the s390 and ia64 architectures. The i386/ia32 ones are missing. _______________________________________________

That would be because they are part of the 4.5 respin ...

In the past, if we have released only parts of the respin, we have had errors because some of the packages are compiled on the new glibc/gcc.

OK...BUT, as bdaniels noted, the above update is already out for CentOS ia64 (May 2) and s390 (May 4)...

Akemi

On Mon, 2007-05-07 at 15:34 -0700, Scott Silva wrote:

Akemi Yagi spake the following on 5/7/2007 3:17 PM:

...

On 5/7/07, Johnny Hughes mailing-lists@hughesjr.com wrote:

...

On Mon, 2007-05-07 at 12:57 -0700, Akemi Yagi wrote:

...

CentOS developers,

Could someone take a look at this? It was posted on the CentOS Forum by bdaniels. Apparently this security update came out on May 1, but not all versions have been made available for CentOS.

Akemi

=== Forum posting by bdaniels ===

Well, the announce list has been posting them:

[CentOS-announce] CESA-2007:0257 Low CentOS 4 s390(x) openssh -

security update

...

05/04/2007 06:44 PM

CentOS Errata and Security Advisory 2007:0257

https://rhn.redhat.com/errata/RHSA-2007-0257.html

But only for the s390 and ia64 architectures. The i386/ia32 ones are

missing.

...

---

That would be because they are part of the 4.5 respin ...

In the past, if we have released only parts of the respin, we have had errors because some of the packages are compiled on the new glibc/gcc.

OK...BUT, as bdaniels noted, the above update is already out for CentOS ia64 (May 2) and s390 (May 4)...

Akemi

Those arch's probably aren't scheduled for a respin right away. IA64 and s390 are probably in the single digit percentage of installs, and those respins can probably be put off for an extra week or two without serious complaints. But the ssh patches probably shouldn't wait that long.

That is correct ... as we have different developers/release managers doing different things for different arches.

And I might analyze for releasing the openssh stuff separately, if there is a long term reason that we can't get the i386/x86_64 respins out.

The problem goes like this: (as an example)

Kernel is a security release, so I want to push it before we do the respin.

Kernel boots with the old kudzu and mkinitrd, but does not work correctly ... so I need to release those too.

The mkinitrd requires that I need to release the new kernel-utils and module-init-tools.

Pretty soon, I need to release the whole respin to release the kernel.

Since the thing in question is the openssh ... lets see how long RH waited from build time to release: ===================================================== From RHN:

openssh-3.9p1-8.RHEL4.20.i386.rpm Build Date: 2006-11-10 16:14:48 Release Date: 2007-05-01 =====================================================

So if RH can wait almost 7 months to get this package through QA and release, surely we can QA the entire respin for 2 weeks :-P.

As I said, dumping only part of the respin out can be done, however, I just did not like the results that we had and bugs it created the couple times we did it that way for i386/x86_64 ... it is just safer to release it as a group (just like upstream did).

However, if another developer wants to do the other approach, and if they have analyzed for it, that is also absolutely a valid approach. Nothing wrong with either way, but I want i386/x86_64 to go though QA first.

Thanks, Johnny Hughes