Re: Syncing fedora packages with security patches to mirrors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Mar 19, 2015 at 12:18:41PM +0530, Huzaifa Sidhpurwala wrote:
> I work for the Red Hat Product security team, and have been a fedora
> contributor for several years. I was involved with Linux security issues
> like heartbleed, shellshock etc.
> 
> For some time, I have noticed that due to the way fedora mirrors work,
> it takes a lot of time for the packages with security fixes (specially
> ones which have critical impact like openssl) to sync to mirrors. We
> have been announcing links to koji builds for our users in the meantime,
> which is really not scalable for large installs etc.
> 
> Also many times, while talking in conferences and otherwise to fedora
> users, it seems the main concern is the time it takes these security
> fixes to hit our mirrors.
> 
> I have tried talking to several people about a possible solution,
> including CentOS guys and it seems there needs to be a solution to this
> problem.
> 
> One possible solution which i can think of, is to have a security repo,
> which is not  mirrored but centrally location, of-course there are
> several problems with this approach and needs more discussion.

What you are suggesting is, I think, the same what Debian does with
their security repository at security.debian.org:

https://www.debian.org/security/faq#mirror

From my mirror admin point of view the problem is not getting the
packages to the mirrors. The step in the process which takes most of the
time is building the repository. If this security repository (including
the signing) could be created faster the files would be sooner on the
mirrors. So a small repository with higher (or more intelligent) mirror
frequency would probably help a lot.

I think the bigger problem is that it needs additional tools and a
concept how the packages move from the security repository to
updates-testing/updates-released.

		Adrian

Attachment: pgpDcJtejf5eH.pgp
Description: PGP signature

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux