On Tue, 25 Oct 2016 17:59:24 -0700 Andrew Lutomirski <luto@xxxxxxx> wrote: > It seems to me that Fedora has three severe distribution wide issues > relating to security updates: > > 1. Updates, even critical security updates, are very slow. Getting an > update out involves creating a build and an update (which is > reasonably fast for most packages), pushing the update to > updates-testing, getting karma, and pushing to updates. The latter > three can happen in parallel in the best case. The big problem as I > see it is that pushing updates is painfully slow. For reasons that > I'm sure make a lot of internal sense, updates seem to get stuck > behind broken composes and such all the time. Can this be made > better? It has been. In the last month or so, a bunch of bodhi masher bugs have been tracked down and we have autosigning in place. I think people don't realize all the stuff we have to do to push updates. > IMO it should be possible for a security update to be checked, > incrementally, for sanity with respect to the rest of the package > repository, and then pushed out, without needing to do whatever > expensive work a compose does. If some other update breaks the > compose, I don't think this should cause security updates to get > stuck. Nope. We have talked about having some kind of fast track, but IMHO, we should just get the normal process faster. > > 2. There doesn't appear to be a working process to get updates out > quickly. As a current and pressing example, there is no build for > Firefox 49.0.2. Ask the maintainer(s)? there could be any number of reasons for this... > 3. AFAIK Fedora has no means by which it can participate in embargoed > updates. For this to work, I think there ought to be private git > branches, a way to get Koji to make a private build from a private git > branch, and a way to get private karma on a private update. Then, > when an embargo is lifted, the packager could merge the private branch > in, the various infrastructure bits could notice that the very same > git commit is now public and permit all of the private builds, > updates, and karma to become public and allow an immediate push to > updates. Yep. Thats a gigantic pile of work there for sure. kevin
Attachment:
pgpQxejtz7ZXm.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
