[Mageia-dev] RFC: Opening Backports (once again...)
Buchan Milne
bgmilne at zarb.org
Tue Jan 3 10:27:12 CET 2012
On Sunday, 11 December 2011 19:43:35 Florian Hubold wrote:
\
>
> Whatever the decision is, maybe we could tie this to some conditions:
> Only allow backports if there are near-zero security/critical bugs for the
> stable release or if there are no open bugs for the package in question?
Well, my first question is, *who* is *responsible* for security updates? This
is not specified in the updates policy (the role assigned to build the
security update is named 'Maintainer (or any interested packager)', but who is
responsible for checking that we have all applicable updates? In Mandriva, it
was the responsibility of the security team (with cooperation from the
maintainer in some cases).
At some stage we also need to look at providing vulnerability data in a
suitable format that supports automated validation (e.g. OVAL?), and a site
able to browse advisories.
> Just some random crazy idea ...
>
> IMHO we should focus on security and bugfixes for the stable release,
> and there are currently too many security bugs open, some for a
> really long time, where nothing is happening for months, yet we still
> talk and concern about opening backports.
FYI: the reason I have been slow on updates for Mageia is that I still have
systems running Mandriva, precisely because the bacports situation has not
been finalised, and I don't want to submit all missing packages in Mageia 1 to
updates. Once backports is open, I can drop some Mandriva packages, and spend
more time contributing to Mageia.
So, you can't necessarily say that backports steals time from updates ...
Regards,
Buchan
More information about the Mageia-dev
mailing list