[openstack-dev] [all] [stable] No longer doing stable point releases

Ian Cordasco ian.cordasco at RACKSPACE.COM
Sun Jun 7 15:57:49 UTC 2015


On 6/7/15, 03:41, "Thomas Goirand" <zigo at debian.org> wrote:

>On 05/29/2015 09:23 PM, Ian Cordasco wrote:
>> Could you explain this as well? Do you mean fragmentation between what
>> distros are offering? In other words, Ubuntu is packaging Kilo @ SHA1
>>and
>> RHEL is at SHA2. I'm not entirely certain that's a bad thing. That seems
>> to give the packagers more freedom.
>
>What happens when there's a security patch? Will upstream publish
>patches for each and every distro? I don't believe so.

Does upstream do that now? I don't think so. They send out proposed
patches for each version that's affected (if I understand the process
documents correctly).

>On 05/29/2015 09:23 PM, Ian Cordasco wrote:
>> Perhaps I'm wrong, but when a CVE is released, don't the downstream
>> packagers usually patch whatever version they have and push that out?
>
>We would like to have a single patch to share between distros.
>Fragmenting the work helps nobody.

You already have this if the documentation is correct.

>> Isn't that the point of them being on an private list to receive
>> embargoed notifications with the patches?
>
>The point of the embargo is to give time for testing patches and prepare
>a new patched version. Sometimes, we discover problems with the provided
>patch during the embargo period. Yes, we use the embargo to sometimes
>adapt the patch to the version we have in our distributions, but we
>would prefer if that work wasn't needed.

But there aren't point releases for every CVE fix. There are point
releases that are coordinated at the moment. So if you're waiting for
those point releases to publish a new version of that package in your
package repositories, that's news to me. I've seen packagers take patches
and apply them and merely change the build metadata. Is this only done for
"severe" CVEs at the moment?

If every commit were a release, then you could all synchronize on that, if
you all packaged each commit or at least, generate a new package each time
a CVE is publicly patched through gerrit.

I think we're probably talking past each other. I have had one set of
experiences with downstream redistributors and CVEs in packages, and
you're describing an entirely different process. I can't think of a time I
haven't published a CVE where older versions of the package weren't
patched by downstream redistributors as well as the current one,
especially if they don't have the free time to publish the new package
version.



More information about the OpenStack-dev mailing list