[CentOS-devel] Missing security updates

Thu Jul 22 19:38:37 UTC 2010
Jeff Johnson <n3npq at mac.com>

On Jul 22, 2010, at 2:51 PM, Marcus Moeller wrote:

> Dear Karan.
>> Yes, thats about right. The idea of testing stuff within CentOS has a
>> very finite end point. With very few exceptions the only people trying
>> to get onto the testing team are people looking for early access. There
>> have only ever been a small number of people who actually do anything. I
>> would love, more than anything else at this time, to have a large and
>> productive testing team - but one that actually does something.
>> Opening up the list to public and opening up access to the testing
>> repo's and hoping for the best is not only a stupid idea, its also a
>> massive waste of resources. But still its the only solution people seem
>> to come up with when I pitch this problem to them. So we carry on with
>> our solution in place right now -> invite people we know and recognise
>> to be people interested in helping. So visibility cluefull people from
>> the community here. And dont be mistaken :  plenty have declined. Which
>> is fine, everyone has their own agenda and life to live.
> There is even no clear process of how (trusted) ppl could join up.
> It's all about 'Expect to get invited when free slots in the testing
> team are available'.

The key issue is "trusted", not "join up". Credentials are
earned, not handed out. Calling this a "process" is like
calling a queue at the cash register a "process". Sure
its linear, and moves forward, and can be modeled accoring
to objective measurements like cash in-flow or residence time
in queue and all those metrics miss the point that
	Credentials like "trusted" are earned, not otherwise.

> I also think that you loose nothing with opening up the testing
> process. But I personally never really cared about that 'early access'
> thing. And yes, I know your arguments but I just don't share them and
> other projects which already have open processes work quite well (even
> if they are enterprise related).

What exactly is "closed" about the process? Sausages from the @redhat.com
factory arrive on lthe CentOS oading dock, are examined, tallied, listed, stamped,
processed, and re-distributed. The entire process for CentOS release engineering
is easily seen, been the same since forever. There's nothing stopping anyone from grabbing
the sausages in the "security release", building, installing, testing, and reporting "worksforme"
to assist in expediting a "security release".

And if you want early access, you de facto have that by just building and
installing the "security" fix directly.

>> I don't personally see any of those frames changing too far at the moment, but then I've been surprised in the past and am quite open to being surprised again :)
> I just wait for the moment to be surprised by changes within the
> project infrastructure. One thing I have learned within the past few
> years in CentOS is that nothing will change (which maybe isn't that
> bad for an enterprise OS but it has not much to do with community)

All the vultures wait for dehydration to lead to demise before dining on the carcass.

And if you already "know" nothing will change, you already have an answer
that works for you.

No community needs to be involved in your decisions.

73 de Jeff