Hi, i m looking for a complete package review process. I have only found Le 22 juin 2011 18:27, "Les Mikesell" <lesmikesell at gmail.com> a écrit : > On 6/22/2011 4:17 AM, Ljubomir Ljubojevic wrote: >> >>> I'd expect it to be common for the kernels and probably glibc's included with a >>> point release or soon thereafter to include security fixes. If you push those, >>> you have the biggest risk of affecting everything else - so what's the point of >>> isolating the rest? >>> >> All I can see is you pushing extreme case scenario on something that is >> good will of the devs to lower aggravation of people waiting for point >> release to be completed, with agenda to push for 2-days delay between >> upstream and CentOS point releases, knowing it can not physically >> happen. It's like watching my 2-years old nephew screaming for his >> bottle of milk even tho he can see his mother pouring it just in front >> of him. > >> The packages that **can** be released faster *will* be released faster, >> those that could brake things will be held back, it is simple as that, >> at least in my book. > > It's speculation at this point, but I think security fixes in the kernel > and major libs are to be expected instead of being some extreme case, > and those are precisely the most likely things that would cause > something to break if done incorrectly. The point of planning the early > release concept in the first place should be to get these fixes out to > the people who otherwise become targets of well-known exploits and > rootkits. Assume, for example, that another flaw is found in php or a > web app that allows remote command execution, and another glibc flaw > like the one recently fixed that allowed root escalation if you could > make a symlink to a suid file. Now assume that the fixes for these > vulnerabilities comes in or immediately after the point release. That > scenario seems normal, expected, and what the early release planning > should be all about instead of holding these back until a working > ananconda and iso layout is ready and tested. > >> I will even dare to speculate that main reason for people to opt-in for >> CR repo will be so they can see how many packages are finished and to >> see packages coming out so they do not freak out without a visible >> progress. Side affect will be that some of them will be able to busy >> them selfs with comparing against upstream packages. > > I think this is unlikely - unless they are unaware of the pending > security issues, don't watch the news, and never look at their logs - or > don't have an internet connection. > > -- > Les Mikesell > lesmikesell at gmail.com > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > http://lists.centos.org/mailman/listinfo/centos-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20110622/7b9e2665/attachment-0006.html>