[CentOS-devel] Ask for the centos package review process

Wed Jun 22 16:39:24 UTC 2011
Regis Perdreau <regis.perdreau at gmail.com>

Hi, i m looking for a complete package review process. I have only found
Le 22 juin 2011 18:27, "Les Mikesell" <lesmikesell at gmail.com> a écrit :
> On 6/22/2011 4:17 AM, Ljubomir Ljubojevic wrote:
>>
>>> I'd expect it to be common for the kernels and probably glibc's included
with a
>>> point release or soon thereafter to include security fixes. If you push
those,
>>> you have the biggest risk of affecting everything else - so what's the
point of
>>> isolating the rest?
>>>
>> All I can see is you pushing extreme case scenario on something that is
>> good will of the devs to lower aggravation of people waiting for point
>> release to be completed, with agenda to push for 2-days delay between
>> upstream and CentOS point releases, knowing it can not physically
>> happen. It's like watching my 2-years old nephew screaming for his
>> bottle of milk even tho he can see his mother pouring it just in front
>> of him.
>
>> The packages that **can** be released faster *will* be released faster,
>> those that could brake things will be held back, it is simple as that,
>> at least in my book.
>
> It's speculation at this point, but I think security fixes in the kernel
> and major libs are to be expected instead of being some extreme case,
> and those are precisely the most likely things that would cause
> something to break if done incorrectly. The point of planning the early
> release concept in the first place should be to get these fixes out to
> the people who otherwise become targets of well-known exploits and
> rootkits. Assume, for example, that another flaw is found in php or a
> web app that allows remote command execution, and another glibc flaw
> like the one recently fixed that allowed root escalation if you could
> make a symlink to a suid file. Now assume that the fixes for these
> vulnerabilities comes in or immediately after the point release. That
> scenario seems normal, expected, and what the early release planning
> should be all about instead of holding these back until a working
> ananconda and iso layout is ready and tested.
>
>> I will even dare to speculate that main reason for people to opt-in for
>> CR repo will be so they can see how many packages are finished and to
>> see packages coming out so they do not freak out without a visible
>> progress. Side affect will be that some of them will be able to busy
>> them selfs with comparing against upstream packages.
>
> I think this is unlikely - unless they are unaware of the pending
> security issues, don't watch the news, and never look at their logs - or
> don't have an internet connection.
>
> --
> Les Mikesell
> lesmikesell at gmail.com
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> http://lists.centos.org/mailman/listinfo/centos-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20110622/7b9e2665/attachment-0006.html>