[opensuse-security] security considerations when Factory is rolling
Hi, With the new development process that includes staging projects and openQA, Factory is getting sufficiently good enough to be used by a wider audience of distro hackers. If more people use Factory that raises the questions how security issues are handled in Factory though. Right now I think it has rather low priority as long as there is no release pending, right? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Tue, Jun 17, 2014 at 01:25:58PM +0200, Ludwig Nussel wrote:
Hi,
With the new development process that includes staging projects and openQA, Factory is getting sufficiently good enough to be used by a wider audience of distro hackers. If more people use Factory that raises the questions how security issues are handled in Factory though. Right now I think it has rather low priority as long as there is no release pending, right?
Well, we ask people to fix security issues for Factory and people seem to use version bumps etc. just nicely. So Factory is not better nor worse than openSUSE maintenance. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Marcus Meissner wrote:
On Tue, Jun 17, 2014 at 01:25:58PM +0200, Ludwig Nussel wrote:
With the new development process that includes staging projects and openQA, Factory is getting sufficiently good enough to be used by a wider audience of distro hackers. If more people use Factory that raises the questions how security issues are handled in Factory though. Right now I think it has rather low priority as long as there is no release pending, right?
Well, we ask people to fix security issues for Factory and people seem to use version bumps etc. just nicely.
So Factory is not better nor worse than openSUSE maintenance.
Ok. In case a core package is affected there might be an additional delay due to staging though. I guess we need to handle it on a case by case basis to push packages faster (e.g. by using patch instead of version update) for really urgent issues. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Ludwig Nussel wrote:
Marcus Meissner wrote:
On Tue, Jun 17, 2014 at 01:25:58PM +0200, Ludwig Nussel wrote:
With the new development process that includes staging projects and openQA, Factory is getting sufficiently good enough to be used by a wider audience of distro hackers. If more people use Factory that raises the questions how security issues are handled in Factory though. Right now I think it has rather low priority as long as there is no release pending, right?
Well, we ask people to fix security issues for Factory and people seem to use version bumps etc. just nicely.
So Factory is not better nor worse than openSUSE maintenance.
Ok. In case a core package is affected there might be an additional delay due to staging though. I guess we need to handle it on a case by case basis to push packages faster (e.g. by using patch instead of version update) for really urgent issues.
The concern Coolo had is that in the current model the Factory repo wouldn't be published unless openQA passes. If for whatever reason some breakage slips through staging projects and breaks post integration QA a security fix may still make it into Factory but may not be published ie not reach the users. So in such a case it make be necessary to use an extra update repo for Factory to bypass the normal process. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (2)
-
Ludwig Nussel -
Marcus Meissner