Fwd: Re: releasing updates-testing packages without VERIFY votes

[Jeff Sheltren]

On Fri, September 23, 2005 1:03 pm, William Stockall said:
> I concur with Mr. McCarty.  If untested updates are moved in with the
> tested updates then NONE of the updates can be trusted.  Who wants to go
> back to the bug entry to check for sure if an update actually got tested
> prior to rolling it out?
>
> Also, if there was little enough interest that no one tested the patch,
> why is it so important that it be rolled out at all?  If they are rolled
> out, they should at least be kept separate from the tested updates.
> That way people can choose whether they add that repository to pull
> updates from.
>
>
> 				Will.

Well, if you are serious about having a stable system, you should always
test the packages yourself on a mock-production machine, otherwise you can
never be sure that the package won't break your system, no matter how many
other people have tested it previously.

Second, lack of interest in QAing a package does not make the security
issue any less of a threat.  When people point yum to use FL repos, they
are under the impression that they will get security patches in a timely
manner.  Due to a lack of (wo)man power, it already takes us long enough
to get packages out - if we have packages sitting in updates-testing for
months/years, we are simply doing a dis-service to those who are using FL
with the belief that they are safe simply having a nightly yum update run.

Most of the patches we used come straight from RHEL or FC RPMs which have
received quite a bit of QA before release - and that makes me feel more
confident in having this sort of timeout for packages we can't get enough
verifies for.

-Jeff