Problems with bodhi and security updates

Sun Jan 27 20:30:48 UTC 2008

On Sunday 27 January 2008, Kevin Kofler wrote:

> One more thing: you're quick to blame the security team approval process
> when it delays your Fedora 8 update, 

This is not about any particular update, and I don't know why you're pointing 
fingers back at me about something different.  I saw something that smelled 
like a broken process and tried to provide as accurate an example as possible 
to illustrate my observations, hence used the xine-lib case with what I 
experienced it with, hoping to get feedback from those who have designed it 
and are applying it saying whether it works as intended (and if, why).  I 
also asked for instructions in case there was something I should have done 
differently.

> but this is already the third update
> you're pushing to Fedora 7 updates-testing,

Ok, I'll bite.

The first one went to testing because in addition to a security fix it was a 
version bump from version 1.1.7 to 1.1.9.1.  I now think this was a mistake 
and I should not have touched F-7 at all.

The second one (trivial non-security 1.1.9+ regression fixes) went also to 
testing because nobody had notified me whether the previous testing update 
worked or not.

The 3rd one was an update to 1.1.10 which contained a security fix and some 
other pretty harmless looking changes - I decided to push that directly to 
stable because of the nature of those changes and more importantly because 
meanwhile a confirmation comment arrived that the latest 1.1.9.1 incarnation 
worked for some people.  Bodhi turned that into the 3rd testing request.

At the time of filing the 3rd request (more precisely a bit before that) I 
also revoked the existing 1.1.9.1 testing->stable update request because I 
had no idea I wouldn't be able to push the new one directly to stable and 
thought it'd take the same time for the 1.1.9.1 testing->stable to be 
processed as the 1.1.10 directly to stable one.

> and you appear not to have requested a push to stable for any.

Yes, I have.  I filed that request immediately after the first comment arrived 
in Bodhi that someone had tested the F-7 update and found it working (thanks, 
Rex!).

> Many maintainers don't even test their NON-security updates on all Fedora
> versions before they push them. (Hey, you're lucky if they even tested it
> on ANY distro. ;-) ) You may think that's a bad idea,

VERY much so, and I will not participate in that madness, but that's a rant 
for another day.

> but at least for 
> security updates, I think getting it out quickly is more important.

For easily reviewable security fix updates only, agreed.