On 05/29/2015 09:23 PM, Ian Cordasco wrote: > Could you explain this as well? Do you mean fragmentation between what > distros are offering? In other words, Ubuntu is packaging Kilo @ SHA1 and > RHEL is at SHA2. I'm not entirely certain that's a bad thing. That seems > to give the packagers more freedom.
What happens when there's a security patch? Will upstream publish patches for each and every distro? I don't believe so. On 05/29/2015 09:23 PM, Ian Cordasco wrote: > Perhaps I'm wrong, but when a CVE is released, don't the downstream > packagers usually patch whatever version they have and push that out? We would like to have a single patch to share between distros. Fragmenting the work helps nobody. > Isn't that the point of them being on an private list to receive > embargoed notifications with the patches? The point of the embargo is to give time for testing patches and prepare a new patched version. Sometimes, we discover problems with the provided patch during the embargo period. Yes, we use the embargo to sometimes adapt the patch to the version we have in our distributions, but we would prefer if that work wasn't needed. Thomas __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
