It seems to me that Fedora has three severe distribution wide issues relating to security updates: 1. Updates, even critical security updates, are very slow. Getting an update out involves creating a build and an update (which is reasonably fast for most packages), pushing the update to updates-testing, getting karma, and pushing to updates. The latter three can happen in parallel in the best case. The big problem as I see it is that pushing updates is painfully slow. For reasons that I'm sure make a lot of internal sense, updates seem to get stuck behind broken composes and such all the time. Can this be made better? IMO it should be possible for a security update to be checked, incrementally, for sanity with respect to the rest of the package repository, and then pushed out, without needing to do whatever expensive work a compose does. If some other update breaks the compose, I don't think this should cause security updates to get stuck. 2. There doesn't appear to be a working process to get updates out quickly. As a current and pressing example, there is no build for Firefox 49.0.2. 3. AFAIK Fedora has no means by which it can participate in embargoed updates. For this to work, I think there ought to be private git branches, a way to get Koji to make a private build from a private git branch, and a way to get private karma on a private update. Then, when an embargo is lifted, the packager could merge the private branch in, the various infrastructure bits could notice that the very same git commit is now public and permit all of the private builds, updates, and karma to become public and allow an immediate push to updates. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
