On Wed, Apr 26, 2006 at 07:42:14PM +0200, jdd wrote:
Marcus Meissner wrote:
"SUSE Linux will be updated in less than 24h as soon as a bugfix is released for each and any official SUSE Package"
The security team is not working 24 hours a day ;)
Fixes are released when ready.
I don't really know how you work.
Hah! If you want to listen 50 minutes of my lecture on exactly this topic at FOSDEM, check out the Videos at http://en.opensuse.org/FOSDEM :) My slides are here: http://files.opensuse.org/opensuse/en/a/a1/FOSDEM_security_process.pdf
When apache or Mozilla release a bugfix, I can install the new version right now.
I try to have an idea of how many time go between the _official bugfix release_ and the YOU update release. of course as a guess, but said like you do this could mean tomorrow or never, this is not done to make the user confident :-).
I don't try to make pressure on your team, all the contrary.
I know you are working fast and I would like to advertise it more and more precisely, at least rationally. This is measure if the trust we can have on YOU, not uninteresting :-)
I I understand well what is said here, you fix the bug sometime _before_ it is annouced on the web (I beg you have good information sources :-)
Let me give a brief excerpt of how we work: - We get knowledge of the vulnerability. Sometimes this is before the actual date it gets known, sometimes at the same time. - We open a bug and assign it to the package maintainer of this package. - The packagemaintainer evaluates the problem, looks for (or uses our) fixes and applies them to the packages of the current development tree and all older supported products. Those fixed packages get submitted to the build system. There is some back and forth between the packager and my team if there is need. Ocassionaly fixes are incomplete, or broken, requiring to go back to this step. - The packages get checked in into the buildsystem after review of the buildsystem team member. Occasionaly this gets delayed due to high load of the buildsystem on other tasks, or high load on the buildsysteam team. - Once the package has build, a meta patch information file is checked in. The engine then builds patchsets (previously YOU patches, starting with 10.1 repomd data). - Our QA Team tests the fix. This is one timefactor, because they get lots of things to test. Security has priority, but we for isntance have multiple items in the queue to test. Testing an update takes an hour up to several hours, depending on how complicated the package is, on how much distributions it is, etc. Feedback is given, if something breaks. - Updates are released. All these steps are necessary and all these steps have however human components, which are heavily involved in other SUSE processes too. As seen above, the update process is interwoven with the rest of the development and other delivery processes, making giving out "fixed" times very difficult. Ciao, Marcus