Follow-up on Extended Life Cycle

Josh Boyer jwboyer at gmail.com
Tue Jul 21 13:46:22 UTC 2009 

On Tue, Jul 21, 2009 at 08:58:18AM -0400, Paul W. Frields wrote:
>On Tue, Jul 21, 2009 at 08:38:11AM -0400, Greg DeKoenigsberg wrote:
>> On Tue, 21 Jul 2009, Tim Burke wrote:
>>> I'm guessing that this 1 fulltime person in a security response team 
>>> role is to track, monitor, and coordinate the issues that need to be 
>>> addressed. Which in many cases is different from the devel, releng and 
>>> test aspects - necessitating much more than 1 fulltime person's worth of 
>>> work to pull off the broader initiative.  Right?
>>
>> In the world of RHEL, this would certainly be true -- but in the world of  
>> Fedora?
>>
>> What QA/releng work is required to push updates into Fedora currently,  
>> after the initial distro has been pushed out?  I'm pretty sure it's not  
>> much; we just use bodhi to coordinate +1s to packages in the updates  
>> testing repo, and that's about the extent of it.  This process would not  
>> change.
>
>That's pretty much the size of it.  The package maintainer shoulders a
>big part of the burden, and then co-opts the work of other intrepid
>volunteers to test the packages and get the bodhi karma needed for an
>update push.  I'd assume the latter step doesn't really change for

Karma is not required for an update push.  It is done at maintainer's
discretion.  We, of course, would like maintainers to get multiple positive
karma votes before pushing, but that is not feasible for a wide variety of
packages.

>this effort, since it doesn't have to.  But many of the current
>package maintainers are not involved in this effort, so exactly who is
>taking over the former work, and how it proceeds in an organized
>fashion, are important questions that must be answered.

I think there is additional effort involved here.  The proposal is talking
about security updates only for ELC.  At the moment, this requires someone
from the Fedora Security team to approve them before releng even sees the
push request.  This is true of current releases as well.

So, I don't think there is anything majorly _new_ here.  But continuing to do
the same things for longer is an increase in effort for a number of teams.
How much so and is that worth it is the question.

josh

More information about the fedora-advisory-board mailing list