Delays in package processing

Thorsten Leemhuis fedora at leemhuis.info
Thu Dec 20 15:46:57 UTC 2007


On 20.12.2007 16:05, Michael Schwendt wrote:
> On Thu, 20 Dec 2007 08:41:24 +0100, Thorsten Leemhuis wrote:
> 
>> [...] there are currently up to four (or even
>> more) days between pushes afaics (the last one right now for example was
>> on 15 December 2007):
>> * for normal updates that's not a problem, but I think four days are a
>> to long delay for updates that fix security issues.
> If that is true,

Not sure, but the number of security updates in one push looks a bit odd
now and then; take for example

https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3308

Fixes multiple CVEs, but seems it took round about 7 days from build to
the proper repos. The maintainer might be responsible for parts of this
timeframe -- but it looks like it took 2 days from koji/bodhi creation
to testing, and five from testing to stable.

> then wtf is the purpose of the "security" check-box in
> bodhi if it doesn't inform release engineers about the necessity to push a
> security related update?

I suppose part of the reason is to add a [SECURITY] to the subject and
mark it properly in the metadata.

> [...]
>> And, BTW, what's exactly the problem with "moving target for all
>> mirrors"? There were (are?) yum problems iirc (¹), but I suppose we can
>> fix them if we want?
> If the master site is modified too often, the window, during which mirrors
> can sync a complete set [*] of changes, becomes smaller. I guess Matt
> Domsch can tell how often mirrors sync on average.

But one the other hand pushing a lot more packages at once makes the
dataset bigger, which makes the windows smaller for that sync. But I
don't care much.

>> (¹) -- downloading metadata from one mirror, download error on it,
>> switching to another mirror that has even new push where the file yum
>> tries to download is already is gone again
> That's one of the problems. Files not found, persistent metadata checksum
> errors (older repomd.xml from previous mirror in conjunction with newer
> metadata from other mirrors), users seeing update announcements but tools
> not seeing the updates [yet].

Yeah, I've seen it as well. Should we file bugs (or are there bugs about
it already?)? skvidal?

> And last but not least, do you like being
> notified about system updates daily?

If they are security or otherwise relevant: yes. Queuing the other stuff
for a once-a-week-push might be okay to the stable repos (but testing
more often would be nice).

> First there's a series of minor
> version updates for some package, then upstream releases the next stable
> major version, and the packager smacks his lips because it's so exiciting
> to push that hot new stuff to Fedora 7+8+development instead of giving it
> time to test it in development.

+1

CU
knurd




More information about the fedora-devel-list mailing list