Using updates-testing was [Re: Device change for Sil 3112 in latest kernel]

[Jeff Spaleta]

On Mon, 09 Aug 2004 00:56:54 +0200, Arjan van de Ven <arjanv at redhat.com> wrote:
> it's a balancing act; do we delay the serious security hole fixes a day
> or not..... it's not an easy question. Right now the severity of the
> security problem made me decide against a day in testing but instead go
> live right away (based on a kernel that has been in rawhide for over a
> week). I hope you understand that that is a judgement call on a case by
> case basis (yes I know lame argument), but the fact that this security
> issue was going public with an exploit made me and Dave decide to go
> live instantly and not after 24 or 48 hours.

I understand its case by case and i also understand that anything
security related adds layers of complexity when trying to discuss the
ramifications. But I'm not so sure the current way fedora is handling
crisis updates is really in balance at all. The move away from
security backporting and a loss of a coherent way to get people update
notices they can read before the updates become available for install
throws the balance off a great deal from what has come before.  And
frankly, the change in how upstream kernel development is going to
process new features into the stable tree isn't going to make
situations like this any better.

Perhaps you can find a compromise here for the kernel, and release a
weekly test kernel to updates-testing. Not with the intent of
definitely releasing that kernel as updates-released. But so people
can get a heads-up on changes of kernel features and document them in
a faq so if you do have to push a crisis update major changes in how
the kernel deals with hardware the faq can be referenced in the
notice.

-jef