[CentOS-devel] CentOS-[56] Continous Release

Wed Jun 22 16:26:48 UTC 2011
Les Mikesell <lesmikesell at gmail.com>

On 6/22/2011 4:17 AM, Ljubomir Ljubojevic wrote:
>> I'd expect it to be common for the kernels and probably glibc's included with a
>> point release or soon thereafter to include security fixes.  If you push those,
>> you have the biggest risk of affecting everything else - so what's the point of
>> isolating the rest?
> All I can see is you pushing extreme case scenario on something that is
> good will of the devs to lower aggravation of people waiting for point
> release to be completed, with agenda to push for 2-days delay between
> upstream and CentOS point releases, knowing it can not physically
> happen. It's like watching my 2-years old nephew screaming for his
> bottle of milk even tho he can see his mother pouring it just in front
> of him.

> The packages that **can** be released faster *will* be released faster,
>    those that could brake things will be held back, it is simple as that,
> at least in my book.

It's speculation at this point, but I think security fixes in the kernel 
and major libs are to be expected instead of being some extreme case, 
and those are precisely the most likely things that would cause 
something to break if done incorrectly.  The point of planning the early 
release concept in the first place should be to get these fixes out to 
the people who otherwise become targets of well-known exploits and 
rootkits.  Assume, for example, that another flaw is found in php or a 
web app that allows remote command execution, and another glibc flaw 
like the one recently fixed that allowed root escalation if you could 
make a symlink to a suid file.  Now assume that the fixes for these 
vulnerabilities comes in or immediately after the point release. That 
scenario seems normal, expected, and what the early release planning 
should be all about instead of holding these back until a working 
ananconda and iso layout is ready and tested.

> I will even dare to speculate that main reason for people to opt-in for
> CR repo will be so they can see how many packages are finished and to
> see packages coming out so they do not freak out without a visible
> progress.  Side affect will be that some of them will be able to busy
> them selfs with comparing against upstream packages.

I think this is unlikely - unless they are unaware of the pending 
security issues, don't watch the news, and never look at their logs - or 
don't have an internet connection.

   Les Mikesell
    lesmikesell at gmail.com