[opensuse-factory] Are security updates provided by the core openSUSE team or the community?
Hi, I've been using openSUSE (specifically Tumbleweed) for a couple of months now and noticed that security updates for openSUSE seem to lag behind other popular distros (ex: Red Hat & CentOS, Debian & Ubuntu, Arch). Even so, it's not usually by too much, maybe just a day or so. My assumption has been that the openSUSE team just doesn't have the same resources available to it that the other distros have. For example, with the MozillaFirefox package I noticed that the updated version (v38.0 or 38.0.1) is still not available via the standard repos as of the 20150516 snapshot. Is this an oversight, the conclusion that the security issues with v38.0 are minor, a lack of time or something else? Thank you for your time. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi,
For example, with the MozillaFirefox package I noticed that the updated version (v38.0 or 38.0.1) is still not available via the standard repos as of the 20150516 snapshot. Is this an oversight, the conclusion that the security issues with v38.0 are minor, a lack of time or something else?
I can't speak for the openSUSE packaging situation, but given that I'm working for Mozilla and involved in the process of releases, I can tell you that 38.0.1 is not a security update. In fact, I think there's nothing really in that update that affects Linux, the main reason why we created it was a startup crash on some Windows systems. So in this case, there probably is not any good reason for openSUSE to even do a 38.0.1 update, other than because of the looks of the version number. Cheers, KaiRo -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 5/19/2015 10:07 AM, Robert Kaiser wrote:
Hi,
For example, with the MozillaFirefox package I noticed that the updated version (v38.0 or 38.0.1) is still not available via the standard repos as of the 20150516 snapshot. Is this an oversight, the conclusion that the security issues with v38.0 are minor, a lack of time or something else?
I can't speak for the openSUSE packaging situation, but given that I'm working for Mozilla and involved in the process of releases, I can tell you that 38.0.1 is not a security update. In fact, I think there's nothing really in that update that affects Linux, the main reason why we created it was a startup crash on some Windows systems. So in this case, there probably is not any good reason for openSUSE to even do a 38.0.1 update, other than because of the looks of the version number.
Cheers, KaiRo
Hi, Thanks for the reply. I mentioned 38.0.1 in the same breath as 38.0, which was mistake. I meant for the emphasis to be on v38.0 which I see listed as a security release. I meant to imply that providing v38.0 or 38.0.1 would would a current Mozilla Firefox package that has the latest security fixes. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, 2015-05-19 at 11:54 -0500, deoren wrote:
On 5/19/2015 10:07 AM, Robert Kaiser wrote:
Hi,
For example, with the MozillaFirefox package I noticed that the updated version (v38.0 or 38.0.1) is still not available via the standard repos as of the 20150516 snapshot. Is this an oversight, the conclusion that the security issues with v38.0 are minor, a lack of time or something else?
I can't speak for the openSUSE packaging situation, but given that I'm working for Mozilla and involved in the process of releases, I can tell you that 38.0.1 is not a security update. In fact, I think there's nothing really in that update that affects Linux, the main reason why we created it was a startup crash on some Windows systems. So in this case, there probably is not any good reason for openSUSE to even do a 38.0.1 update, other than because of the looks of the version number.
Cheers, KaiRo
Hi,
Thanks for the reply.
I mentioned 38.0.1 in the same breath as 38.0, which was mistake. I meant for the emphasis to be on v38.0 which I see listed as a security release. I meant to imply that providing v38.0 or 38.0.1 would would a current Mozilla Firefox package that has the latest security fixes.
I assume you're strictly talking Tumbleweed here (*). Security updates are incoming 'as fast as possible', but the process around Tumbleweed, including testing, can at times slow down substantially. As an example: MozillaFirefox has been submitted to openSUSE:Factory (the Tumbleweed integration/pre-test project) by Wolfgang on 2015-05-15T11:21:09. Then it entered some staging project (currently Staging :F) and is awaiting a full build including test media. Once the media is ready, it is handed off to openQA to ensure the new media works (there is a bit more in Staging:F than only Firefox, if we'd do one staging per app it would take forever to get anything through). so, yes, updates are prepared in time but the process can at times slow it a bit down to get to the users. We try to take the security relevance into account when handling stagings, and if something of high criticality is stalled, we certainly will try to find a way around this. Hope that explains a bit where the delay is coming from (*) for the regular maintained releases, the process is different of course. Best regards, Dominique -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 5/19/2015 12:15 PM, Dominique Leuenberger / DimStar wrote:
On Tue, 2015-05-19 at 11:54 -0500, deoren wrote:
Hi,
Thanks for the reply.
I mentioned 38.0.1 in the same breath as 38.0, which was mistake. I meant for the emphasis to be on v38.0 which I see listed as a security release. I meant to imply that providing v38.0 or 38.0.1 would would a current Mozilla Firefox package that has the latest security fixes.
I assume you're strictly talking Tumbleweed here (*). Security updates are incoming 'as fast as possible', but the process around Tumbleweed, including testing, can at times slow down substantially.
As an example: MozillaFirefox has been submitted to openSUSE:Factory (the Tumbleweed integration/pre-test project) by Wolfgang on 2015-05-15T11:21:09.
Then it entered some staging project (currently Staging :F) and is awaiting a full build including test media. Once the media is ready, it is handed off to openQA to ensure the new media works (there is a bit more in Staging:F than only Firefox, if we'd do one staging per app it would take forever to get anything through).
so, yes, updates are prepared in time but the process can at times slow it a bit down to get to the users. We try to take the security relevance into account when handling stagings, and if something of high criticality is stalled, we certainly will try to find a way around this.
Hope that explains a bit where the delay is coming from
(*) for the regular maintained releases, the process is different of course.
Best regards, Dominique
Thanks Dominique, I have a clearer understanding now. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, May 19, 2015 at 06:15:13PM +0100, Dominique Leuenberger / DimStar wrote:
I assume you're strictly talking Tumbleweed here (*). Security updates are incoming 'as fast as possible',
Same for openSUSE 13.[12]. We (the security team) depend on the maintainers to submit a fixed package before we can prepare an update. For some packages the maintainers react very fast, for others not so much. Then we have a seven day delay when the updates get tested by some volunteers who bravely install the updates as soon as they are available, which causes additional delay. Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)
Johannes Segitz <jsegitz@suse.com> Wed, 20 May 2015 17:14:16 +0300:
On Tue, May 19, 2015 at 06:15:13PM +0100, Dominique Leuenberger / DimStar wrote:
I assume you're strictly talking Tumbleweed here (*). Security updates are incoming 'as fast as possible',
Same for openSUSE 13.[12]. We (the security team) depend on the maintainers to submit a fixed package before we can prepare an update. For some packages the maintainers react very fast, for others not so much. Then we have a seven day delay when the updates get tested by some volunteers who bravely install the updates as soon as they are available, which causes additional delay.
Johannes
Hello! Sound like ubuntu proposed, how could openSUSE 13.2 user enable this feature? -- Best regards, Dmitriy DA(P).DarkneSS Perlow @ Linux x64 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, May 20, 2015 at 06:42:49PM +0300, Dmitriy Perlow wrote:
Johannes Segitz <jsegitz@suse.com> Wed, 20 May 2015 17:14:16 +0300:
On Tue, May 19, 2015 at 06:15:13PM +0100, Dominique Leuenberger / DimStar wrote:
I assume you're strictly talking Tumbleweed here (*). Security updates are incoming 'as fast as possible',
Same for openSUSE 13.[12]. We (the security team) depend on the maintainers to submit a fixed package before we can prepare an update. For some packages the maintainers react very fast, for others not so much. Then we have a seven day delay when the updates get tested by some volunteers who bravely install the updates as soon as they are available, which causes additional delay.
Johannes
Hello!
Sound like ubuntu proposed, how could openSUSE 13.2 user enable this feature?
Subscribe to our test update channel and report problems :) http://download.opensuse.org/update/13.2-test/ or for 13.1: http://download.opensuse.org/update/13.1-test/ reporting by email to maintenance@opensuse.org or bugzilla. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 20.05.2015 um 16:14 schrieb Johannes Segitz:
On Tue, May 19, 2015 at 06:15:13PM +0100, Dominique Leuenberger / DimStar wrote:
I assume you're strictly talking Tumbleweed here (*). Security updates are incoming 'as fast as possible',
Same for openSUSE 13.[12]. We (the security team) depend on the maintainers to submit a fixed package before we can prepare an update. For some packages the maintainers react very fast, for others not so much. Then we have a seven day delay when the updates get tested by some volunteers who bravely install the updates as soon as they are available, which causes additional delay.
Johannes
and as the example was Firefox I can comment as well ;-) There was an initial question who is doing security updates. This depends per package I'd say. For Firefox it's basically me and I'm a volunteer and not employed by SUSE. In almost all cases I'm providing the package updates in the mozilla repository in the same hour (sometimes a bit earlier, sometimes a bit later) as upstream releases them. Now given the Mozilla communications and the "rules" for security updates at this point in time I don't have the official CVE/MFSA security data to put it into the changelog. This information is usually seen crucial by the involved teams to be provided. The announcements are usually later public as the actual update and therefore I - need to wait for the annoucement - convert it into the changelog format - need to update the prepared package submissions - upload the change - (wait for a successful build) - submit the update (multiplied by 3 for Firefox, Thunderbird and xulrunner) Now this submission was later than usual because of different reasons: - bank holiday and my computer absence of a day ;-) - 38.0.1 was created and I wanted to pick it up - another fix required for Tumbleweed for gcc 5 was added last minute which delayed the submission for another time Now begins what Dominique has described for Tumbleweed and Johannes for maintained distributions. So you got the full picture now. I'm not actually sure how to speedup the process while keeping the same level of testing. Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (7)
-
deoren -
Dmitriy Perlow -
Dominique Leuenberger / DimStar -
Johannes Segitz -
Marcus Meissner -
Robert Kaiser -
Wolfgang Rosenauer