On 20.12.2007 16:05, Michael Schwendt wrote: > On Thu, 20 Dec 2007 08:41:24 +0100, Thorsten Leemhuis wrote: > >> [...] there are currently up to four (or even >> more) days between pushes afaics (the last one right now for example was >> on 15 December 2007): >> * for normal updates that's not a problem, but I think four days are a >> to long delay for updates that fix security issues. > If that is true, Not sure, but the number of security updates in one push looks a bit odd now and then; take for example https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3308 Fixes multiple CVEs, but seems it took round about 7 days from build to the proper repos. The maintainer might be responsible for parts of this timeframe -- but it looks like it took 2 days from koji/bodhi creation to testing, and five from testing to stable. > then wtf is the purpose of the "security" check-box in > bodhi if it doesn't inform release engineers about the necessity to push a > security related update? I suppose part of the reason is to add a [SECURITY] to the subject and mark it properly in the metadata. > [...] >> And, BTW, what's exactly the problem with "moving target for all >> mirrors"? There were (are?) yum problems iirc (¹), but I suppose we can >> fix them if we want? > If the master site is modified too often, the window, during which mirrors > can sync a complete set [*] of changes, becomes smaller. I guess Matt > Domsch can tell how often mirrors sync on average. But one the other hand pushing a lot more packages at once makes the dataset bigger, which makes the windows smaller for that sync. But I don't care much. >> (¹) -- downloading metadata from one mirror, download error on it, >> switching to another mirror that has even new push where the file yum >> tries to download is already is gone again > That's one of the problems. Files not found, persistent metadata checksum > errors (older repomd.xml from previous mirror in conjunction with newer > metadata from other mirrors), users seeing update announcements but tools > not seeing the updates [yet]. Yeah, I've seen it as well. Should we file bugs (or are there bugs about it already?)? skvidal? > And last but not least, do you like being > notified about system updates daily? If they are security or otherwise relevant: yes. Queuing the other stuff for a once-a-week-push might be okay to the stable repos (but testing more often would be nice). > First there's a series of minor > version updates for some package, then upstream releases the next stable > major version, and the packager smacks his lips because it's so exiciting > to push that hot new stuff to Fedora 7+8+development instead of giving it > time to test it in development. +1 CU knurd -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
