On Fri, 21 Jun 2013 17:13:03 -0700 Greg KH <[email protected]> wrote:
> Great! But as only the latest version released is "stable", that's > all that should stick around, right? Tricky decision to make. Do we really want to force people's kernel sources to unmerge every single time you push a new version? Which on its own turn, forces them to build and install the new kernel. > > If possible we could script it to keep the package unstable the > > first X days it is in Portage to keep the stabilization effect in > > place; that way Gentoo users are unaffected if something goes wrong > > the day after you push a patch, I assume not, but you never know. > > If something goes "wrong" the day after I push a update, I push a new > one fixing the problem, so this shouldn't be an issue, right? It's not so much about fixing the problem, but rather about the severity of the issue. If this involves a corruption that corrupts a large amount of data on well known hardware which the patches were not tested on, users with such hardware would be affected; if we however delay our Gentoo users, they wouldn't become affected due to an upstream problem, unless they intentionally use the ~ keyword > And as these are coming out about 1-2 a week, the timeout before the > arch teams could get around to marking things stable seems like a lot > of work, for something that isn't really needed at all. What I meant was to not involve arch teams at all, as per the original proposal but just have a cron job running somewhere to stabilize the new versions, as well as to drop older versions. The delayed stabilization and delayed dropping from the tree are merely ideas that I think are in favor of the users; I may be wrong about this but would like to at least see this discussed, unless everyone agrees we should completely reflect the current state as listed on kernel.org. As you probably know, there are different groups of users where some run personal laptops or desktops whereas other run a (professional) server. I think an approach that what would make sense for people running a secure and stable server might not necessarily make sense for people running their own laptop or desktop. Not all exploits target both servers and desktops (eg. they can't get behind router). On the other hand, the vanilla-sources ebuilds set K_SECURITY_UNSUPPORTED="1"; so perhaps we're not even aiming for the (professional) server people at all and therefore perhaps only the laptop and desktop users. Or at least, that's how Gentoo Security and that variable would make it look like; I agree though that it is inconsistent with how upstream would look at these versions, I therofore think it should be a good idea to reevaluate said variable if we are going to change the way we stabilize and drop vanilla-sources. -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : [email protected] GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D
signature.asc
Description: PGP signature
