Hi Dimitri, Thank you for raising this here.
On Tue, Jun 27, 2017 at 10:45:39AM +0100, Dimitri John Ledkov wrote: > Instead, I have been asked by an SRU team member to create a more typical > targetted SRU update which uses divergent packaging on per-series basis, > increasing the delta of each SRU relative the devel series, and minimizing > packaging changes relative each of the series this package will land in. I don't think this statement accurately reflects my position. I did say that we could go down the route of an ongoing SRU exception on the basis of backports as you have done, but this would need separate consideration and documentation, in line with the other exceptions already granted. But this has not been done or requested, which is why I declined to accept the SRU at the moment yet did not reject it immediately. I specifically did not rule this path out, both on IRC and in my bug comment. https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1700373/comments/10 documents my position and that of one other SRU team member. > I find this request to be inconsistent with the current practices of > wholesale backports in the cases when it is not possible to distinguish > piece-wise SRU/CVE bugfixes. It creates extra additional work to maintain > distinct lines of packaging on per-series basis especially when it is not > possible to create SRU / security templates on every individual change as > they are SRUed. I think this statement conflates the packaging and delivery mechanism and the blobs themselves. Source is available for the packaging and your "not possible to distinguish" does not apply to it. *It absolutely is possible* to follow the regular SRU procedure on the changes I am currently declining to accept. Maintaining distinct lines of packaging on a per-series basis is exactly what we choose do in Ubuntu by choosing to maintain multiple stable releases at once. I don't think it makes sense to break out of this pattern in this case for a one-off SRU, for the same reason that we don't do the same thing with the kernel. I'd appreciate opinions from other SRU team members. But I don't understand why you aren't prepared to seek a documented, ongoing exception. Isn't that what you want anyway? Separately, I've seen multiple claims that this is a security issue, but personally I remain unconvinced. If the security team agree with you that it is, then shouldn't this be going in via the security pockets and be moot from an SRU policy perspective? Could you please decide which it is, getting agreement from the security team if required, to avoid further confusion? Robie
signature.asc
Description: PGP signature
-- Ubuntu-release mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-release
