On Tue, 25 Oct 2016 17:59:24 -0700
Andrew Lutomirski <luto(a)mit.edu> wrote:
It seems to me that Fedora has three severe distribution wide issues
relating to security updates:
1. Updates, even critical security updates, are very slow. Getting an
update out involves creating a build and an update (which is
reasonably fast for most packages), pushing the update to
updates-testing, getting karma, and pushing to updates. The latter
three can happen in parallel in the best case. The big problem as I
see it is that pushing updates is painfully slow. For reasons that
I'm sure make a lot of internal sense, updates seem to get stuck
behind broken composes and such all the time. Can this be made
better?
It has been. In the last month or so, a bunch of bodhi masher bugs have
been tracked down and we have autosigning in place.
I think people don't realize all the stuff we have to do to push
updates.
IMO it should be possible for a security update to be checked,
incrementally, for sanity with respect to the rest of the package
repository, and then pushed out, without needing to do whatever
expensive work a compose does. If some other update breaks the
compose, I don't think this should cause security updates to get
stuck.
Nope. We have talked about having some kind of fast track, but IMHO, we
should just get the normal process faster.
2. There doesn't appear to be a working process to get updates out
quickly. As a current and pressing example, there is no build for
Firefox 49.0.2.
Ask the maintainer(s)? there could be any number of reasons for this...
3. AFAIK Fedora has no means by which it can participate in
embargoed
updates. For this to work, I think there ought to be private git
branches, a way to get Koji to make a private build from a private git
branch, and a way to get private karma on a private update. Then,
when an embargo is lifted, the packager could merge the private branch
in, the various infrastructure bits could notice that the very same
git commit is now public and permit all of the private builds,
updates, and karma to become public and allow an immediate push to
updates.
Yep. Thats a gigantic pile of work there for sure.
kevin