Here below is my understanding of what has been proposed and (correct me if I am wrong) appear to be in the process of being implemented. Fedora Legacy QA Process Overview w/Proposed Changes ---------------------------------------------------- 1. Vulnerability discerned. 2. Bugzilla ticket for package and vulnerability (with CVE #) opened. 3. Source package(s) for vulnerability proposed. 4. People do SOURCE LEVEL ("PUBLISH") QA on the packages and report in Bugzilla their findings. 5. Once all source packages have been voted for PUBLISH, new signed packages are built and both .src.rpm and (.i386|.x86_64).rpm packages are pushed to updates-testing. An announcement goes out to fedora-legacy-list announcing that packages are ready for testing and asking for participation in doing VERIFY QA. NOTE: If there are any objections in the PUBLISH QA or if any distro does not receive a PUBLISH vote, nothing further is done with that package until the issue(s) are resolved. Old Policy - VERIFY QA to RELEASE: 6. If no positive votes happen on binary packages in updates-testing, they stay in updates-testing and go no further. 7. If one positive vote happens on one distro for pkgs. in updates- testing, a 4-week timeout is set. If no further votes happen before timeout, then after 4 weeks, all packages are released to updates. 8. If two or more distro's (but less than all distros) have positive votes, the 4-week timeout is reduced to a two-week timeout at the time the 2nd distro has a "+" vote. At timeout, all packages are released to updates. 9. If all distros get "+" votes, binary packages are considered fully tested, and can be released to updates straight away. New (Proposed Policy) - VERIFY QA to RELEASE: 6. If no positive votes happen on binary packages in updates-testing, they will be released after a 2-week timeout after having placed in updates-testing. 7. If one positive vote happens on one distro for the pkgs. in updates- testing, the 2-week timeout is reduced to 1-week from the point of the first positive vote. 8. If two or more distro's (but less than all distros) have positive votes, the same timeout in step (7) of the new policy applies. 9. As in the old policy, if all distros get "+" votes, binary pack- ages are considered fully tested and can be released to updates right away. Both policies: 10. Packages released to updates from updates-testing are announced on fedora-legacy-list and fedora-legacy-announce-list. -David -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list