On Monday 15 of September 2008 14:30:07 Michal Marek wrote:
This has two parts
1) The hard part - monitoring upstream changelogs, bugtraq and the like
to identify security bugs. Should be probably maintainers'
2) Fixing security bugs: As not every package maintainer has to be a
programmer, we should allow version updates where it makes sense.
3.) And the community also could help. If there'll be something new in
upstream, they should open a bug. The Debian folks use a Bug Tracking system
for update requests too.
# What about updates for single packages in that repository? If the
repository is frozen after the release, we need an additional repository
just for packages containing bugfixes and security fixes. Who will
maintain this additional repository? Who will review the packages
submitted there? Should there be patches like for the official openSUSE
packages available? Related: [opensuse-factory] Contrib: Progress
Patches are not possible right now, having two repositories is not a
good idea. Let's just update packages in the repository.
I agree - two different repositories are definitively not a good idea.
What about this workflow?
1.) the maintaners lost the write access after freeze
2.) when is necessary to fix a (not only a security) bug, maintaner fix the
package in home:maintaner (and maybe ask for testing on IRC/ML)
- when is a fix done, he'll ask via a submitreq (or a similar mechanism) to
apply of a patch
- one of the reviewer (or maybe we could create a new role) will do that
BTW: are there some guidelines for Packman? Maybe we are reinventing a wheel,
because they have an experience with community based repository.
To unsubscribe, e-mail: opensuse-contrib+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-contrib+help(a)opensuse.org