Fwd: Re: releasing updates-testing packages without VERIFY votes
Jason Lim
maillist at jasonlim.com
Fri Sep 23 17:32:25 UTC 2005
To tell the truth, to me at least, to support legacy systems I only really
care about critical security updates that could remotely compromise the
system (not even theoretical stuff is of interest). Even local compromise is
not THAT important to me... but in my view, a critical remote vulnerability
should get priority, and at least those should get tested, everything else
can really take the back burner.
I think we need to spend our very limited energy more productively.
If someone wants to use updates that supposedly haven't been tested, they
can use the testing respository, right? Nothing stopping them from using it.
As for everyone else... I'm more about plain old stability. Think about the
people still using legacy systems like RH9, they obviously aren't
"leading-edge" or anything, and probably aren't interested in little bug
fixes here and there, and would probably only be interested in the
worst-case security problems.
----- Original Message -----
From: "William Stockall" <wstockal at compusmart.ab.ca>
To: "Discussion of the Fedora Legacy Project"
<fedora-legacy-list at redhat.com>
Sent: Saturday, September 24, 2005 1:03 AM
Subject: Re: Fwd: Re: releasing updates-testing packages without VERIFY
votes
> I concur with Mr. McCarty. If untested updates are moved in with the
> tested updates then NONE of the updates can be trusted. Who wants to go
> back to the bug entry to check for sure if an update actually got tested
> prior to rolling it out?
>
> Also, if there was little enough interest that no one tested the patch,
> why is it so important that it be rolled out at all? If they are rolled
> out, they should at least be kept separate from the tested updates.
> That way people can choose whether they add that repository to pull
> updates from.
>
>
> Will.
> Mike McCarty wrote:
> > Eric Rostetter wrote:
> >
> >> Arg, sent with wrong From: address, so here it is again, since the
> >> moderator
> >> probably won't get to it for a while...
> >>
> >> ----- Forwarded message -----
> >> Subject: Re: releasing updates-testing packages without VERIFY votes
> >> To: fedora-legacy-list at redhat.com
> >>
> >> Quoting Pekka Savola <pekkas at netcore.fi>:
> >>
> >>
> >>> I suggest changing the policy so that packages in updates-testing
> >>> which haven't got any VERIFY votes could:
> >>
> >>
> >>
> >> First, let me say that it would take less time for the people invloved
> >> in these
> >> "lets publish without QA" discussions to just QA the packages than
> >> they are
> >> spending arguing if we should publish them without any QA. But, back
to
> >> the current point of discussion...
> >>
> >>
> >>> - after 2 weeks, marked with a timeout
> >>> - after the timeout of 4 weeks [i.e., 6 weeks total] be
> >>> officially published
> >>
> >>
> >>
> >> This goes against everything this group was founded on, and all Best
> >> Practices. However, it does seem to be popular with the few folks
> >> involved in these conversations. So, I'll approve of this, but only
> >> if ammended to include the following:
> >
> >
> > Well I don't. I object to it, period. It's not only not best practice,
> > it's bad practice.
> >
> > If no one picks it up, and tests it, then how do we know it doesn't
> > create a worse problem than it reputedly solves?
> >
> > [snip]
> >
> > Mike
>
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-legacy-list
>
More information about the fedora-legacy-list
mailing list