[CentOS] This doesn't make sense

Fri Sep 23 20:04:53 UTC 2011
Lamar Owen <lowen at pari.edu>

On Friday, September 23, 2011 03:17:07 PM Dennis Jacobfeuerborn wrote:
> On 09/23/2011 07:57 PM, Lamar Owen wrote:
> > Have you pondered the moral implications of knowlingly installing insecure software and placing it on the public internet?  Oh, wait, it's not a moral issue, since there is no such thing as secure software.
> 
> It is a moral issue if you know that you cannot provide timely updates.

You cannot know how long an update will take until the update is done, thanks to the iterative process of insuring binary compatability.

> "Fun" doesn't enter into it. Apparently there existed an updated httpd 
> package on Sept. 1st that was ready to go and yet here we are three weeks 
> later with no release but more importantly no timely message that it will 
> in fact not be released as planned.

I don't think you understand.  The process is iterative; if QA fails it's all the way back up to building it again.  A package may have existed three weeks ago in terms of being built; if that package had passed binary testing and QA it would have been released by now.

As to 'fun' entering into it, you also realize these guys are volunteers, right?  Make a volunteer's life too hard, and that volunteer stops volunteering.  These volunteers *owe* the users of CentOS *nothing*.  I'm just glad they've done what they've done.

> Again if it's not possible for the project to keep up with the updates then 
> this should be openly communicated so users can ponder alternatives.

I disagree.  The project has no obligation to communicate *anything* to me; I'll watch the announcements, and when it's announced, I'll get it.  I cannot expect any more than that from any volunteer project.  If the project chooses to communicate that's great and fine, but I cannot expect it when I am not entitled to it by some means.  Sure, that's inconvenient to users of the project's distribution; but users of any free, volunteer-run project need to understand what they're getting themselves into before they install it.

Perhaps the project should more adequately communicate during installation that timely updates, bug-free opeeration, and security fixes are not guaranteed, and require the user to agree to that before installation proceeds.

The CentOS project has done a fantastic job over the years, and it's easy to get spoiled to being a freeloader.  But updates don't build and QA themselves.

> And if it's not possible to release specific high profile/impact updates in 
> a timely fashion for some reason then users should be informed too so they 
> can deal with the situation in other ways.

Again, it is impossible to know how long a package release will take when you start, or even when you've built it for the twentieth time.  Full 100% binary compatibility may mean packages have to be built in a particular order, and it may mean a set of updates has to be built together in order to pass binary compatibility.  Once it has passed the binary check it still has to be QA'd, and if it fails you are at square one in ways, building again in a slightly different way to a slightly different buildroot, correcting what QA found.  And the fix for one QA issue could easily cause another.

A package as important as httpd must pass muster.  A broken update is worse than no update at all. 

> Yes, QA'ing and releasing a package may be time consuming but sending out 
> an email is not and would do a great deal to at least aid users in their 
> decision making.

Karanbir sent out an e-mail with his best estimate of the time; the estimate was incorrect, but due to the nature of the beast it is impossible to know how long it really will take.

Perhaps the QA process could be more open; perhaps it should be.  Perhaps it shouldn't be, too.  I'm not in a position to judge that.

Rosman, NC  28772
http://www.pari.edu