| 1 |
Chris Gianelloni wrote: |
| 2 |
|
| 3 |
> Now, we can definitely use help in testing the snapshot. We're going to |
| 4 |
> be announcing a new round of "Release Testers" for 2007.0 once we get |
| 5 |
> ramped up into the release cycle. I am going to be working with the |
| 6 |
> rest of the Release Engineering team to try to come up with some testing |
| 7 |
> methodologies for people to use when testing, as well as a standard |
| 8 |
> report for successes and failures. |
| 9 |
> |
| 10 |
Well I volunteer for one. I'm guessing you can get someone to post to the |
| 11 |
forums as and when you're ready to get more volunteers ;) |
| 12 |
|
| 13 |
>> >> Wrt security updates, is it possible to tie into GLSAs so that we |
| 14 |
>> >> could automate updating packages that need it? By updating I mean |
| 15 |
>> >> adding the ebuilds and any dependencies (or dependants that might |
| 16 |
>> >> require updating.) |
| 17 |
>> > |
| 18 |
>> > What were you expecting that we would do? |
| 19 |
>> > |
| 20 |
>> Lol; exactly that. I guess I was asking how difficult it is to automate |
| 21 |
>> the process. |
| 22 |
>> |
| 23 |
>> Although Andrew wrote that he didn't think it was necessarily the best |
| 24 |
>> idea. Why is that? |
| 25 |
> |
| 26 |
> Well, these sort of things are hard to automate, for one. Second, if |
| 27 |
> we're trying to produce a quality product, we want to have some checks |
| 28 |
> in place prior to updates hitting the world. Having a set of human eyes |
| 29 |
> helps. |
| 30 |
> |
| 31 |
I totally understand the process point in terms of QA. As for automation, |
| 32 |
isn't there an existing system used to process security bugs? |
| 33 |
|
| 34 |
>> > "or a vulnerable package's dependencies" |
| 35 |
>> > |
| 36 |
>> Sure, if the update meant the dependencies needed updating too. Again, |
| 37 |
>> that'd need automating, so we're talking about checking the tree in both |
| 38 |
>> directions (dependencies and dependants in my terms, sorry if I'm using |
| 39 |
>> the words wrongly.) |
| 40 |
> |
| 41 |
> Why does it need automating? We generally don't get more than 10 or so |
| 42 |
> GLSA a week. Even doing everything by hand, this would be a very |
| 43 |
> minimal workload to keep updated. |
| 44 |
> |
| 45 |
I didn't know the frequency of GLSAs. According to the other thread, not all |
| 46 |
security bugs warrant an advisory. In any event, I don't see why we |
| 47 |
shouldn't automate it while we can to save us the tedious workload later. |
| 48 |
|
| 49 |
|
| 50 |
-- |
| 51 |
gentoo-dev@g.o mailing list |
Archives