Michael Scherer a écrit :
This mail is about handling update on the backport repository. Either
new version, or bugfix, or security upgrade.
Everybody was focused on "should we do patch, or should we do more
backport" issue, but the real problem is not really here.
First, we have to decide what kind of update do we want to see, among
the 3 types :
- bugfixes
- security bug fixes,
- new version
For bugfixes and new versions, that are not known to have security implications, let's treat them
essentially as new backports.
If the bug were locally reported, the reporter would be involved in the testing.
Such updates would be installed as any other backport.
However I would favour notifying those who have installed previous versions of these backports, of
the availability of newer versions.
Maybe even having a backports updates category. (But not to be installed
automatically by default.)
For security issues, I'm not sure that it is important how we find out.
As far as responsibility, I think the main responibility should be by the packager, but it could be
useful for the security team to monitor it, to find an alternate packager if necessary.
(Presumably from those who have tested or installed the package.)
(I don't know who monitors security issues now, I just assume the security
team.)
However I think that such packages should be tested as normally for backports, and then treated as
security updates, to be automatically applied.
This is because those who have installed the backport in question have decided to accept a higher
degree of risk. However a security issue can be a much greater risk, and is something that is
normally resolved automatically. So by installing a security bug fix automatically for a backport,
we are essentially maintaining the level of risk already assumed by the user.
In summary :
In terms of testing, I see all backport updates as following the same process as for the initial
backports. (As outlined by misc in another thread.)
For non-security updates, I see essentially the same installation process as
for initial backports.
Adding some form of notification to those who have installed a previous version of the backport in
question.
For security updates, I see automatic installation as with any security update.
The treatment of these updates would depend on what is installed on the user's system, and not what
repositories are selected.
In terms of monitoring security issues, why not use the same as for other
packages ?
my 2 cents :)
--
André
