On Wed, 2014-10-01 at 15:53 -0300, Claudio Freire wrote:
On Wed, Oct 1, 2014 at 3:19 PM, Stephan Kulow
wrote: Am 01.10.2014 um 18:10 schrieb Ludwig Nussel:
Changed packages:
As you might have guessed from the length of a changelog: this was quite a job to get out - but finally bash is secure in official repo.
While that can readily be seen, by the time Factory is considered truly a replacement of TW, perhaps security patches shouldn't need full integration to get in?
I still prefer a security fix going through staging that shooting every system down.. even though a shutdown system is the most secure there is, it's not where we're heading to.
What I mean is, that thread saying bash patches weren't applied to Factory because then Gnome would be included and it was broken... wasn't that what rings were about preventing?
You misunderstood something here: the new GNOME stack was not in Factory at the time of this reporting... there was still GNOME 3.12 from March. 'something' else happened to sneak through the openQA process which did not trigger the various desktops to fail there (and it was not only GNOME; G just was less random in getting a failure to be seen). So: while the broken stuff already WAS in Factory (not caught in the staging QA runs), bash entered as well.. publishing the state would have meant to knowingly publish a tree possibly breaking.
Perhaps the process should be reviewed a little bit with security patches in mind this time around.
That is the most sensible thing to do, yes. We rely largely on openQA,
but as with every test: it's only as reliable as the tests and the
things you verify. An addon repo for Security relevant quick fixes might
be an option, BUT that would also mean that once Factory publishes,
stuff has to disappear from that temp update repo again... (or it will
grow endlessly... forever)
I'm sure brilliant ideas on HOW to do all of this are most welcome.
Dominique
--
Dimstar / Dominique Leuenberger