On Fri, September 23, 2005 1:03 pm, William Stockall said: > I concur with Mr. McCarty. If untested updates are moved in with the > tested updates then NONE of the updates can be trusted. Who wants to go > back to the bug entry to check for sure if an update actually got tested > prior to rolling it out? > > Also, if there was little enough interest that no one tested the patch, > why is it so important that it be rolled out at all? If they are rolled > out, they should at least be kept separate from the tested updates. > That way people can choose whether they add that repository to pull > updates from. > > > Will. Well, if you are serious about having a stable system, you should always test the packages yourself on a mock-production machine, otherwise you can never be sure that the package won't break your system, no matter how many other people have tested it previously. Second, lack of interest in QAing a package does not make the security issue any less of a threat. When people point yum to use FL repos, they are under the impression that they will get security patches in a timely manner. Due to a lack of (wo)man power, it already takes us long enough to get packages out - if we have packages sitting in updates-testing for months/years, we are simply doing a dis-service to those who are using FL with the belief that they are safe simply having a nightly yum update run. Most of the patches we used come straight from RHEL or FC RPMs which have received quite a bit of QA before release - and that makes me feel more confident in having this sort of timeout for packages we can't get enough verifies for. -Jeff -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
