On Monday 15 of September 2008 14:30:07 Michal Marek wrote:
Hi, Hi all,
This has two parts 1) The hard part - monitoring upstream changelogs, bugtraq and the like to identify security bugs. Should be probably maintainers' responsibility. 2) Fixing security bugs: As not every package maintainer has to be a programmer, we should allow version updates where it makes sense.
3.) And the community also could help. If there'll be something new in upstream, they should open a bug. The Debian folks use a Bug Tracking system for update requests too.
# What about updates for single packages in that repository? If the repository is frozen after the release, we need an additional repository just for packages containing bugfixes and security fixes. Who will maintain this additional repository? Who will review the packages submitted there? Should there be patches like for the official openSUSE packages available? Related: [opensuse-factory] Contrib: Progress
Patches are not possible right now, having two repositories is not a good idea. Let's just update packages in the repository.
I agree - two different repositories are definitively not a good idea. What about this workflow? 1.) the maintaners lost the write access after freeze 2.) when is necessary to fix a (not only a security) bug, maintaner fix the package in home:maintaner (and maybe ask for testing on IRC/ML) - when is a fix done, he'll ask via a submitreq (or a similar mechanism) to apply of a patch - one of the reviewer (or maybe we could create a new role) will do that BTW: are there some guidelines for Packman? Maybe we are reinventing a wheel, because they have an experience with community based repository. Best regards Michal Vyskocil -- To unsubscribe, e-mail: opensuse-contrib+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-contrib+help@opensuse.org