Jerry Bratton wrote: > Voting on this one particular update would not help to address the > larger problem I'm seeing that many security updates take several > days or even weeks to reach users. The issue is more pronounced in > F20 than F21 or F22, presumably because there is more interest in > testing the later releases, but the issue is there nonetheless. I think you're beginning to get at the actual issue: a lack of interest in testing. Updates could get out much faster if more users would help testing them. > Even if I were to vote on security updates > that I noticed were taking a long time in testing, there's still the > probability that there are many other security updates stuck in > testing for a long time that I never know about, leaving my system > vulnerable. You could address that for yourself by enabling the updates-testing repository. Then you'll get all the latest updates in testing every time you update. If you don't want to do that, then it's presumably because you want the updates you install to be tested. But you seem to find untested updates acceptable if they're security-related. What if you could install only security updates from testing and put off other updates until they go stable? (Installing only security updates and no other updates isn't a very good idea, because a general version upgrade or bugfix update may later be found to have fixed some security issue, and then an update that has already been pushed won't get tagged as a security update after the fact. But installing security updates from testing and other updates when they go stable would make sense.) Being a tester in Fedora seems to be rather all-or-nothing. The only easy way to test updates that I know of is to run with updates-testing enabled. By doing that one takes substantial risks and gets none of the benefit of tested packages. Those who are willing to do that aren't likely to use F20 updates-testing; they're probably using F22 by now. I think more users might help with the testing if they could test only a few packages that they care particularly about. There seems to be a need for an easy way to find out when there are updates in testing of packages one uses frequently, and to selectively install such packages without installing the rest of updates-testing. If such a thing exists, then it hasn't been announced widely enough for me to notice it in my eleven years as a user and five years as a packager. The way I find out about updates is the package-announce mailing list, where they're announced only when they're pushed to stable. Björn Persson
Attachment:
pgpYQ2rDhrmGq.pgp
Description: OpenPGP digital signatur
-- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging