On Sat, Nov 30, 2019 at 07:46:38PM -0500, Neal Gompa wrote:
Something about that is a bit weird, though. In my experience with similar situations in Fedora + RHEL where I am the Fedora maintainer, I am usually added to the private bug for coordinating releasing fixes when Red Hat Product Security has to do this for RHEL and it's not already fixed in Fedora. This would allow both Fedora and RHEL to push the fix at the same time, satisfying issues like embargoes. I would have hoped there's a similar process in place for SUSE/openSUSE coordination. There's nothing that says we can't have SRs pushed to both Factory and SLE/Leap at the same time, and expedite them to be pushed and cycled through.
I'm not sure if you are talking about security bugs in general or only about embargoed ones. Unless there is an embargo, our security bugs are public and embargoed ones are switched to public once the embargo is lifted. I certainly agree that if there is an external maintainer of the openSUSE package, he should be added to the bug when it's public. I don't know, however, if it's allowed to add external maintainers while the bug is still embargoed, that would be question for someone else who is more familiar with the conditions for the embargo. If not, external maintainer should be added when the bug goes public. There is also a technical problem that currently we cannot release openSUSE (no matter if Leap or Tumbleweed) updates as soon as the embargo is lifted even if the openSUSE maintainer is a SUSE employee. This is because the whole process for openSUSE is tied to (public) OBS and all of it (including openQA tests) expects to work with packages built there. Therefore we cannot even start the process before the embargo is lifted as that would require pushing the updated packages into OBS where anyone could see them. Michal Kubecek -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org