On 12/1/19 11:07 AM, Gerald Pfeifer wrote:
On Sat 2019-11-30, Neal Gompa wrote:
On Sat, Nov 30, 2019 Stefan Seyfried wrote:
Is there still a "Factory first" policy for SLES?
Yes.
The reason I'm asking is that I was surprised to find there is a bluez update for Leap 15.0 and 15.1 which comes from SLES15. I just found this by accident.
Hmm; I just reached out to the SUSE security team and asked them to look into this.
As someone who regularly fixes critical embargoed security issues it is common practice to prepare a SLE update and ideally have it ready at the point when the embargo is lifted so we can ship already tested packages to customers / leap when the embargo is lifted. We can't fully prepare a submission for factory / tumbleweed until the embargo is lifted however, as open build service has no mechanism to make packages private. Further often packages are fixed differently between SLE/Leap and Tumbleweed, generally upstream will create a new release when security issues are fixed, our customers traditionally have a fear of updating to new releases so for SLE/Leap the update to fix the issue will generally contain patches that have been backported (with occasional exceptions). For Factory/Tumbleweed however, it almost always makes more sense to just take the new version. Often this means going through staging / reviews etc. For critical issues we will do our best to communicate with the release team / legal to make this process as quick as possible. But the key part of "Factory First" here is that the CVE's are fixed everywhere in some way not that the list of packages ends up the same. Although it seems in this case this process might not have worked correctly but i'll reply to Stefan's original email about that. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B