[openstack-dev] [all] [stable] No longer doing stable point releases

Thomas Goirand zigo at debian.org
Tue Jun 9 08:39:13 UTC 2015 

On 06/07/2015 05:57 PM, Ian Cordasco wrote:
> On 6/7/15, 03:41, "Thomas Goirand" <zigo at debian.org> wrote:
> 
>> On 05/29/2015 09:23 PM, Ian Cordasco wrote:
>>> Could you explain this as well? Do you mean fragmentation between what
>>> distros are offering? In other words, Ubuntu is packaging Kilo @ SHA1
>>> and
>>> RHEL is at SHA2. I'm not entirely certain that's a bad thing. That seems
>>> to give the packagers more freedom.
>>
>> What happens when there's a security patch? Will upstream publish
>> patches for each and every distro? I don't believe so.
> 
> Does upstream do that now? I don't think so.

The point it: they don't need to do it, because all distro are using the
same reference point (ie: the point releases).

>> On 05/29/2015 09:23 PM, Ian Cordasco wrote:
>> The point of the embargo is to give time for testing patches and prepare
>> a new patched version. Sometimes, we discover problems with the provided
>> patch during the embargo period. Yes, we use the embargo to sometimes
>> adapt the patch to the version we have in our distributions, but we
>> would prefer if that work wasn't needed.
> 
> But there aren't point releases for every CVE fix. There are point
> releases that are coordinated at the moment. So if you're waiting for
> those point releases to publish a new version of that package in your
> package repositories, that's news to me. I've seen packagers take patches
> and apply them and merely change the build metadata. Is this only done for
> "severe" CVEs at the moment?

I try to do a security fix on every OSSA the way you describe above. I
suppose other distros are doing the same (but I didn't take the time to
check).

> If every commit were a release, then you could all synchronize on that, if
> you all packaged each commit or at least, generate a new package each time
> a CVE is publicly patched through gerrit.

Adding a bunch of unrelated commits for a CVE fix may be acceptable for
Debian Sid, but it wouldn't for the stable distribution.

But anyway, the discussion about point releases is only barely related
to CVE fixing. The point is that we would like to have a common
reference point between distribution, were we would all be able to say:
version X.Y.Z of this server has a bug, it broke the CI of N and M
distribution, we need a fix release. Without such a coordination, we
wouldn't have as much attention from upstream to produce clean point
releases.

Cheers,

Thomas Goirand (zigo)

More information about the OpenStack-dev mailing list