Fwd: Re: releasing updates-testing packages without VERIFY votes
Michal Jaegermann
michal at harddata.com
Tue Sep 27 18:11:17 UTC 2005
On Tue, Sep 27, 2005 at 10:36:46AM -0700, Benjamin Smith wrote:
> On Friday 23 September 2005 10:03, William Stockall wrote:
> > I concur with Mr. McCarty. If untested updates are moved in with the
> > tested updates then NONE of the updates can be trusted.
...
>
> What if a repo is set up just for these timed out packages, and if somebody
> wants to use them, they can set their yum.conf to include this "semi-trusted"
> repository?
It seems to me that this is a terrible idea. Things are already
quite fragmented in the context and that would create even further
fragmentation and administrative headaches which someone would have
to suffer.
Besides I do not get it. There is a clamour for tested and verified
packages but who is supposed to do that? Waiting for others does
not help. If I am putting in a bug report a note that it is easy to
recompile a package from updates to some other distribution, or give
a reference to what I believe is a fixed package which I put
together myself, then you can be sure that it works for me and is
in an actual use. Beyond that I cannot tell very much on my own.
Personally I think that if a "release early, release often"
principle would be applied to Legacy releases too, with a quick
re-release to follow for an occasional dud (which happened anyway),
we would be much further in the whole project. This seems to be a
minority opinion. As things are people are instead running for
months with known security holes. Sure, if such box is heavily
firewalled, and you are not ever using on it things like a web
browser, then you may not care but this is not always the case.
Oh, well ... I will probably get out of "7.3 business" pretty soon
anyway.
Michal
More information about the fedora-legacy-list
mailing list