| 1 |
On 2021-10-21 17:16, Mike Gilbert wrote:
|
| 2 |
> On Thu, Oct 21, 2021 at 4:05 AM Michał Górny <mgorny@g.o> wrote: |
| 3 |
>> 4. In the end, Security team isn't really respecting this policy. |
| 4 |
>> In the end, this leads to absurdities like GLSA being released before |
| 5 |
>> a package is stable on amd64, and confusing the users [4]. |
| 6 |
> |
| 7 |
> This is certainly an absurd mistake, but I think it is unrelated to |
| 8 |
> the topic of your message. It looks like Whissi jumped the gun on |
| 9 |
> releasing a GLSA, which could happen regardless of the policy. Am I |
| 10 |
> missing some context? |
| 11 |
|
| 12 |
Yeah, #4 is bullshit.
|
| 13 |
|
| 14 |
The security team was never happy with the situation to hold back GLSAs
|
| 15 |
until last architecture was marked stable.
|
| 16 |
|
| 17 |
Saying that we are not respecting our own own policy is absurd. The team
|
| 18 |
discussed this in 2018 and we agreed that it is fine to already publish
|
| 19 |
a GLSA in case a GLSA is ready and when at least one major architecture
|
| 20 |
(amd64 or x86 at that time) was marked stable. That exception doesn't
|
| 21 |
require a formal policy update.
|
| 22 |
|
| 23 |
We even wanted to go one step further and release GLSA when no fixed
|
| 24 |
version is available at all to inform users and give them a chance to
|
| 25 |
take actions on their own (to be able to take actions on your own, i.e.
|
| 26 |
you first need to be aware of a problem). However, this would be too
|
| 27 |
complicated and would frustrate many users.
|
| 28 |
|
| 29 |
The lived practice with releasing GLSA already when just one major
|
| 30 |
architecture has set stable keyword (and in most cases we covered amd64
|
| 31 |
and x86 at release time) received good feedback and is accepted by users
|
| 32 |
and didn't cause any problems (can't remember that we ever got GLSA
|
| 33 |
feedback for other architectures than amd64 or x86).
|
| 34 |
|
| 35 |
|
| 36 |
--
|
| 37 |
Regards,
|
| 38 |
Thomas Deutschmann / Gentoo Linux Developer
|
| 39 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives