Mailinglist Archive: opensuse-kde (352 mails)
| < Previous | Next > |
Re: [opensuse-kde] UpdatedApps for 11.3
- From: Cristian Morales Vega <cmorve69@xxxxxxxx>
- Date: Tue, 4 Oct 2011 17:03:56 +0100
- Message-id: <CAOWQn3Rauk5bqK0LnSVpOc7jwuj37PNtJ3e_qB3wjPa16oo5eA@mail.gmail.com>
On 4 October 2011 13:27, Martin Schlander <martin.schlander@xxxxxxxxx> wrote:
As an 11.4 user I ask myself:
- Who will patch the digikam 1.8 package from the main repo if there
is ever a security issue? The security team.
- Who will patch the digikam 2.2 package from the KDF repo if there is
ever a security issue? There are two independent teams here. At the
very minimum upstream will do it (and the KDF maintainers will publish
the update from upstream). And I expect the security team and/or the
KDF maintainers to also do some basic checks since those packages have
to go to Factory. Perhaps it's not as secure as the package from the
official repo, but it gives me some confidence to know someone is
watching it.
- Who will patch the digikam 1.9 package from the KUA repo if there is
ever a security issue? Upstream is NOT going to. KDF maintainers are
NOT going to. Who is going to then?
And that's the simple reason why packages should build. Trust in a
package is a temporal state that disappears the moment the maintainer
published an update. What I really trust is the maintainer, not the
package, and the maintainer can only transfer that trust to the LATEST
package. I even stop trusting the packages from the official repo once
an update is published in the updates repo...
So KUA users should check themselves for security issues and report
them to you? Well, perhaps that should be the official minimum for a
repo to be in the list: "We don't make any promises about how long it
will take to fix security issues. But YOU will NOT need to check for
security issues in the packages from these repos."
--
To unsubscribe, e-mail: opensuse-kde+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-kde+help@xxxxxxxxxxxx
Tirsdag den 4. oktober 2011 12:12:11 skrev Sven Burmeister:
To repeat myself again. There is no maintainer for KUA! QA is not given.
That's all that matters.
KUA has at least the same level of QA as any other unsupported OBS repo, i.e.
none - except the maintainer himself (that would basically be me, though I
call in the cavalry when I become aware of significant problems I cannot fix)
using most of the packages on one specific distro version and arch.
All QA besides that depends on users reporting problems. This is the same as
for any other OBS repo, whether in the community repos list or not.
Since KUA is limited to links to KDF the packages will actually have been
tested somewhat before entering KUA, although in a different environment.
As an 11.4 user I ask myself:
- Who will patch the digikam 1.8 package from the main repo if there
is ever a security issue? The security team.
- Who will patch the digikam 2.2 package from the KDF repo if there is
ever a security issue? There are two independent teams here. At the
very minimum upstream will do it (and the KDF maintainers will publish
the update from upstream). And I expect the security team and/or the
KDF maintainers to also do some basic checks since those packages have
to go to Factory. Perhaps it's not as secure as the package from the
official repo, but it gives me some confidence to know someone is
watching it.
- Who will patch the digikam 1.9 package from the KUA repo if there is
ever a security issue? Upstream is NOT going to. KDF maintainers are
NOT going to. Who is going to then?
And that's the simple reason why packages should build. Trust in a
package is a temporal state that disappears the moment the maintainer
published an update. What I really trust is the maintainer, not the
package, and the maintainer can only transfer that trust to the LATEST
package. I even stop trusting the packages from the official repo once
an update is published in the updates repo...
How do I know? Simply because there would not be a broken 1.9 package in
there months after it built correctly (if ever) last time if somebody
cared.
You still have not explained how the maintainer is supposed to fix something
noone reported is broken.
So KUA users should check themselves for security issues and report
them to you? Well, perhaps that should be the official minimum for a
repo to be in the list: "We don't make any promises about how long it
will take to fix security issues. But YOU will NOT need to check for
security issues in the packages from these repos."
--
To unsubscribe, e-mail: opensuse-kde+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-kde+help@xxxxxxxxxxxx
| < Previous | Next > |