[CentOS-devel] announcing stuff that is in CR/

Thu Jul 21 15:05:31 UTC 2011
Les Mikesell <lesmikesell at gmail.com>

On 7/21/2011 9:47 AM, Alan Bartlett wrote:
> On 21 July 2011 15:03, Karanbir Singh<mail-lists at karan.org>  wrote:
>
>> Opinions on what would be a good time to announce rpms that make it into
>> the CR/ repo's ? As we build through 5.7 and 6.1, and start pushing the
>> packages into the CR/ repo, should we also be announcing those updates ?
>> On one hand it seems like the best time to announce it since the rpms
>> are available - however they are only available to people who
>> specifically opt into the CR/ process, so perhaps the best time to
>> announce them would be when the rpms are in the os ( or updates/ ) repos
>> in the next release.
>
> My feeling is that an announcement should only be made when the
> packages are finally available from either the os/ or updates/
> repositories. Those of us who feel so inclined to use packages from
> the proposed cr/ repo. will have the technical expertise to evaluate
> the repository's contents on a daily basis (or any other frequency so
> desired).

The important thing to know is when published CVE's are fixed upstream 
so you can judge how important the vulnerability is to your system's 
exposure and how soon you have to do something about it.  Whether that 
involves the CR repos or something else, it is a CentOS-specific risk we 
are all taking.

-- 
   Les Mikesell
    lesmikesell at gmail.com