On Monday 10 November 2003 13:25, Lucas Albers wrote: > Have we started thinking about what build method we will use. Manual chroots possibly with mach. The build system that was being put together for Fedora has hit a snag, and thus we can't have it by the time we need to launch. Manual chroots it is. > Where is our primary buildhost going to be? My company, Pogo Linux, has offered us a dual opteron server, and rackspace at their colo. This will be the main Fedora Legacy system. It'll be located in the South Seattle area of Washington State, USA. > Bugzilla database? Probably on the Legacy opteron server. > Erratta Database? Interesting idea, I'm open to suggestions. Just a MySQL or PGSQL database driven web query page? > Who is going to be the primary host? My company's colo is for now. > How long a cycle are we going to have from exploit to update release? Depends on many things. Obviously we'll try to minimize it, but it'll depend on the package, how close the latest RH supported version is to any given backport, how long it takes to get through QA, all that fun stuff. Hard to say, but as quick as possible. > Are we going to use http/apt/up2date or what to distribute the > releases? We'll be using yum and apt to push our updates. > Who has final say on whether to do rpm upgrades or not. No one person. It's a community thing. Sure I'm the guy in the lead right now, but I don't get to set policy myself, that'll drive people away. We need to start a new thread on this subject. Warren, you had a good suggestion to bump people up to the latest on rpm.org for each given distro. I can see this for 8.0 and 9, which had some nasty lock bugs, but what of 7.2 and 7.3, is it really necessary? > Has anyone asked a knowledgable rpm package at redhat their private > opinion on the matter, in order to get some expert advice on this? I chat w/ RH packagers on a daily basis, they're offering as much help/insite as they possibly can. > Are their any experts on rpm packaging with practical experience that > can say that we need to upgrade rpm packages or not upgrade packages? > > What is our release cycle going to be? What are our deadlines? 1-2-3-out. We'll be supporting 2 FC releases, while RH supports the 3'rd. Being "out" doesn't mean we won't accept/release updates, but it will not be the focus, nor will any guarantees be made as to updates provided for "out" releases. > Are we supporting desktop applications or just server applications? At this point, we'll be suppporting any package that has a security flaw reported to it, within reason. > The deadlines that I see are thus: > > Finalize Draft. > Implement Bugzilla database. > Come up with primary build committee. > Start monitoring erratta for our versions. > Do a test build for all our supported os version. > Determine what QA structure we will be using, how much if any QA > testing will we be doing? Fedora.us style QA probably. As much QA as possible. We stress tested/stable backports, not "hey look, it compiled!" > Will we be releasing binary or src rpms? Both. > How to prevent random evil people from sticking in trojans in a patch > they submit? Heavy peer review, trusted commiters, etc.. > Setup up distribution repository. > Setup mirrors. > Setup synchronization schedule. > Distribute directions on using fedora-legacy. > Distribute gpg key for use. > Distribute a rpm upgrade if necessary for everyone who will use. > Ideas? I do like your list, nice and complete. We'll be going off of this list. -- Jesse Keating RHCE MCSE (geek.j2solutions.net) Fedora Legacy Team (www.fedora.us/wiki/FedoraLegacy) Mondo DevTeam (www.mondorescue.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating
Attachment:
pgp00056.pgp
Description: signature
