-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jeff Spaleta wrote: | On Mon, 29 Nov 2004 12:43:15 +0100, Bernd Bartmann | <bernd.bartmann@xxxxxxxxxx> wrote: | |>As such script doesn't seem to exist yet what do think of just opening |>something like the tracker bug for FC3 where we add all the missing |>update announcements. This means adding a separate bug to each package |>without update announcement and using this as an blocker for the tracker |>bug. If this looks ok to you I can volunteer and add these bugs. | | | Getting individual bug reports against each component is the goal... | but security issues | makes the use of a tracking bug tricky. There will be circumstances | that will require bugs to be marked as private. Having a tracking bug | for missing annoucements could very well mean the tracking bug itself | will have to be marked private....defeating the point of the trackiing | bug. Individual bug reports to components, aren't as tricky... the | package maintainer can mark individual reports as private if need be | without impacting other components. | | |>Also I think there should be a central instance (person) that sends out |>all update announcement. Another thing that I already suggested over a |>year ago is that all announcements should be GPG signed using a global |>Fedora or Red Hat key. | | | This requires automation in the build process and how maintainers | interact with the build system and how you define a build master | individual or automated signing. I think there has been great | reluctance to work on this part of the build system until after Fedora | Extras officially launches.. in order to prevent having to redo this | again once contributor updates start flowing. I'm pretty sure other | people recognize something along these lines has to be done.. but the | focus has been on getting the build system opened up for non Red Hat | contributors. Once this happens... I hope internal efforts can be | refocused on identifying several rougher aspects of the red hat and | contributor build process including annoucement generation that need | some automation love. | | I personally see the only garunteed solution for annoucements is to | demand annoucement text be in the system when a package maintain | submits a build to be an update. And such an annoucement requirement | will have to be flexible enough to take into account security embargos | so that an annoucement text can be requested to show up on a certain | date...after the package is in the update tree if need be. This is | the only way to prevent packagers from forgetting about annoucement | text generation. Right now, its not so tough to find a red hat | employee to beat up on another red hat employee if you have access to | any red hat people on a daily basis. But in the future... for fedora | extras.. its going to be much harder to get access to far flung | contributors who are using the same build process as Core maintainers. | And i think people realize the problem exists and I hope they realize | it will get worse once contributors can start spinning up packages | into extras from the same build system. But any real process solution, | is going to have to fit inside the details of the contributor build | process.. which isn't finalized. Its just one of those situations | where the problem is obvious, and the potential solution space is | very wide.. but all specific constraints aren't in place yet to build | a workable implementation that fits the larger process.
Jeff, this is all nice and your broader view for future things to come is good too, but right now I only care about all the updates that were already released and haven't seen any announcement yet.
Best regards.
- -- Dipl.-Ing. (FH) Bernd Bartmann <Bernd.Bartmann@xxxxxxxxxx> I.S. Security and Network Engineer SoHaNet Technology GmbH / Kaiserin-Augusta-Allee 10-11 / 10553 Berlin Fon: +49 30 214783-44 / Fax: +49 30 214783-46 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBqzpPkQuIaHu84cIRArXtAJsHuyWNXV85tTV3S8lDJfar/MTmrQCdEUiZ Uk6DKRPkKmgcfDCYzIflcmU= =vS6s -----END PGP SIGNATURE-----
