1 |
On 2021-10-21 17:16, Mike Gilbert wrote:
|
2 |
> On Thu, Oct 21, 2021 at 4:05 AM Michał Górny <mgorny@g.o> wrote: |
3 |
>> 4. In the end, Security team isn't really respecting this policy. |
4 |
>> In the end, this leads to absurdities like GLSA being released before |
5 |
>> a package is stable on amd64, and confusing the users [4]. |
6 |
> |
7 |
> This is certainly an absurd mistake, but I think it is unrelated to |
8 |
> the topic of your message. It looks like Whissi jumped the gun on |
9 |
> releasing a GLSA, which could happen regardless of the policy. Am I |
10 |
> missing some context? |
11 |
|
12 |
Yeah, #4 is bullshit.
|
13 |
|
14 |
The security team was never happy with the situation to hold back GLSAs
|
15 |
until last architecture was marked stable.
|
16 |
|
17 |
Saying that we are not respecting our own own policy is absurd. The team
|
18 |
discussed this in 2018 and we agreed that it is fine to already publish
|
19 |
a GLSA in case a GLSA is ready and when at least one major architecture
|
20 |
(amd64 or x86 at that time) was marked stable. That exception doesn't
|
21 |
require a formal policy update.
|
22 |
|
23 |
We even wanted to go one step further and release GLSA when no fixed
|
24 |
version is available at all to inform users and give them a chance to
|
25 |
take actions on their own (to be able to take actions on your own, i.e.
|
26 |
you first need to be aware of a problem). However, this would be too
|
27 |
complicated and would frustrate many users.
|
28 |
|
29 |
The lived practice with releasing GLSA already when just one major
|
30 |
architecture has set stable keyword (and in most cases we covered amd64
|
31 |
and x86 at release time) received good feedback and is accepted by users
|
32 |
and didn't cause any problems (can't remember that we ever got GLSA
|
33 |
feedback for other architectures than amd64 or x86).
|
34 |
|
35 |
|
36 |
--
|
37 |
Regards,
|
38 |
Thomas Deutschmann / Gentoo Linux Developer
|
39 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |