To tell the truth, to me at least, to support legacy systems I only really care about critical security updates that could remotely compromise the system (not even theoretical stuff is of interest). Even local compromise is not THAT important to me... but in my view, a critical remote vulnerability should get priority, and at least those should get tested, everything else can really take the back burner. I think we need to spend our very limited energy more productively. If someone wants to use updates that supposedly haven't been tested, they can use the testing respository, right? Nothing stopping them from using it. As for everyone else... I'm more about plain old stability. Think about the people still using legacy systems like RH9, they obviously aren't "leading-edge" or anything, and probably aren't interested in little bug fixes here and there, and would probably only be interested in the worst-case security problems. ----- Original Message ----- From: "William Stockall" <wstockal@xxxxxxxxxxxxxxxx> To: "Discussion of the Fedora Legacy Project" <fedora-legacy-list@xxxxxxxxxx> Sent: Saturday, September 24, 2005 1:03 AM Subject: Re: Fwd: Re: releasing updates-testing packages without VERIFY votes > I concur with Mr. McCarty. If untested updates are moved in with the > tested updates then NONE of the updates can be trusted. Who wants to go > back to the bug entry to check for sure if an update actually got tested > prior to rolling it out? > > Also, if there was little enough interest that no one tested the patch, > why is it so important that it be rolled out at all? If they are rolled > out, they should at least be kept separate from the tested updates. > That way people can choose whether they add that repository to pull > updates from. > > > Will. > Mike McCarty wrote: > > Eric Rostetter wrote: > > > >> Arg, sent with wrong From: address, so here it is again, since the > >> moderator > >> probably won't get to it for a while... > >> > >> ----- Forwarded message ----- > >> Subject: Re: releasing updates-testing packages without VERIFY votes > >> To: fedora-legacy-list@xxxxxxxxxx > >> > >> Quoting Pekka Savola <pekkas@xxxxxxxxxx>: > >> > >> > >>> I suggest changing the policy so that packages in updates-testing > >>> which haven't got any VERIFY votes could: > >> > >> > >> > >> First, let me say that it would take less time for the people invloved > >> in these > >> "lets publish without QA" discussions to just QA the packages than > >> they are > >> spending arguing if we should publish them without any QA. But, back to > >> the current point of discussion... > >> > >> > >>> - after 2 weeks, marked with a timeout > >>> - after the timeout of 4 weeks [i.e., 6 weeks total] be > >>> officially published > >> > >> > >> > >> This goes against everything this group was founded on, and all Best > >> Practices. However, it does seem to be popular with the few folks > >> involved in these conversations. So, I'll approve of this, but only > >> if ammended to include the following: > > > > > > Well I don't. I object to it, period. It's not only not best practice, > > it's bad practice. > > > > If no one picks it up, and tests it, then how do we know it doesn't > > create a worse problem than it reputedly solves? > > > > [snip] > > > > Mike > > -- > > fedora-legacy-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-legacy-list > -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
