Fwd: Re: releasing updates-testing packages without VERIFY votes

[Benjamin Smith]

On Friday 23 September 2005 10:03, William Stockall wrote:
> I concur with Mr. McCarty.  If untested updates are moved in with the 
> tested updates then NONE of the updates can be trusted.  Who wants to go 
> back to the bug entry to check for sure if an update actually got tested 
> prior to rolling it out?

So don't release them to the same place... 

What if a repo is set up just for these timed out packages, and if somebody 
wants to use them, they can set their yum.conf to include this "semi-trusted" 
repository? 

If the package is given a name like  
bison-1.28-7.FEDORA-LEGACY-TIMEDOUT

Then it would be easy to see what you have installed that you might consider 
checking out by piping the output from "rpm -qa" thru grep. 

I think this answers both sides of the equation, the underlying question seems 
to be "Does the risk of not publishing security updates exceed the risk of 
installing untested packages?" 

Would this add much to the administrative overhead for these packages? 

-Ben 



-- 
"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978