Here below is my understanding of what has been proposed and (correct me
if I am wrong) appear to be in the process of being implemented.
Fedora Legacy QA Process Overview w/Proposed Changes
----------------------------------------------------
1. Vulnerability discerned.
2. Bugzilla ticket for package and vulnerability (with CVE #) opened.
3. Source package(s) for vulnerability proposed.
4. People do SOURCE LEVEL ("PUBLISH") QA on the packages and report
in Bugzilla their findings.
5. Once all source packages have been voted for PUBLISH, new
signed packages are built and both .src.rpm and (.i386|.x86_64).rpm
packages are pushed to updates-testing. An announcement goes out
to fedora-legacy-list announcing that packages are ready for testing
and asking for participation in doing VERIFY QA.
NOTE: If there are any objections in the PUBLISH QA or if any
distro does not receive a PUBLISH vote, nothing further is done
with that package until the issue(s) are resolved.
Old Policy - VERIFY QA to RELEASE:
6. If no positive votes happen on binary packages in updates-testing,
they stay in updates-testing and go no further.
7. If one positive vote happens on one distro for pkgs. in updates-
testing, a 4-week timeout is set. If no further votes happen
before timeout, then after 4 weeks, all packages are released to
updates.
8. If two or more distro's (but less than all distros) have positive
votes, the 4-week timeout is reduced to a two-week timeout at the
time the 2nd distro has a "+" vote. At timeout, all packages are
released to updates.
9. If all distros get "+" votes, binary packages are considered fully
tested, and can be released to updates straight away.
New (Proposed Policy) - VERIFY QA to RELEASE:
6. If no positive votes happen on binary packages in updates-testing,
they will be released after a 2-week timeout after having placed
in updates-testing.
7. If one positive vote happens on one distro for the pkgs. in updates-
testing, the 2-week timeout is reduced to 1-week from the point
of the first positive vote.
8. If two or more distro's (but less than all distros) have positive
votes, the same timeout in step (7) of the new policy applies.
9. As in the old policy, if all distros get "+" votes, binary pack-
ages are considered fully tested and can be released to updates
right away.
Both policies:
10. Packages released to updates from updates-testing are announced
on fedora-legacy-list and fedora-legacy-announce-list.
-David
--
fedora-legacy-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-legacy-list
