On Sat, Nov 30, 2019 at 7:38 PM Gerald Pfeifer <gp@suse.com> wrote:
On Sat 2019-11-30, Neal Gompa wrote:
On Sat, Nov 30, 2019 Stefan Seyfried wrote:
Is there still a "Factory first" policy for SLES?
Yes.
The reason I'm asking is that I was surprised to find there is a bluez update for Leap 15.0 and 15.1 which comes from SLES15. I just found this by accident.
Hmm; I just reached out to the SUSE security team and asked them to look into this.
It is *definitely* still the policy. Unfortunately, I don't know if SUSE is doing anything right now to enforce it. Somebody definitely did something wrong here, as that should have been pushed into Factory first.
Thanks for bringing this to my attention, Neal. Security issues are a bit special in that we strive to release fixes as quickly as possible (at the coordinated release date if applicable), which serially streaming *through* Factory first would not allow for. That said, even in such special cases such changes should go *to* Factory as quickly as possible.
(I have not seen the distinction between "through Factory first" versus "to Factory as quickly as possible" formulated before, but hope it makes sense?)
Something about that is a bit weird, though. In my experience with similar situations in Fedora + RHEL where I am the Fedora maintainer, I am usually added to the private bug for coordinating releasing fixes when Red Hat Product Security has to do this for RHEL and it's not already fixed in Fedora. This would allow both Fedora and RHEL to push the fix at the same time, satisfying issues like embargoes. I would have hoped there's a similar process in place for SUSE/openSUSE coordination. There's nothing that says we can't have SRs pushed to both Factory and SLE/Leap at the same time, and expedite them to be pushed and cycled through. -- 真実はいつも一つ!/ Always, there's only one truth! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org