On 11/29/06, Andrew Gaffney <[EMAIL PROTECTED]> wrote:
From other developers, most of which were releng members?
I get most of mine from users, who are normally kind enough to submit the required patches at the same time.
It's stupid to "blame" releng for the stabilization of gcc-4.1.1. We didn't force it on people.
You're responsible for it being stabilised when it was. It's disappointing that you choose to disavow all responsibility for that happening. I'm not arguing that gcc-4.1 shouldn't have been stabilised at some point in time (although the performance penalty it introduces is a shame). I'm just pointing out a flaw with the idea that the releng snapshots are fit for the purpose of being a non-moving tree for our users.
And as always, if you wanted to know what was going on as part of the release, the info was there for everyone to see in the usual places (such as the gentoo-releng mailing list or the #gentoo-releng IRC channel). This argument about people not knowing what releng is doing seems to come up after every release. It's crap.
I don't agree with you, sorry. Releng members in the past have complained about not knowing what is going on elsewhere in Gentoo; they have _specifically_ complained because information was not _actively_ sent in their direction. But, when the point is raised in the opposite direction, your answer is "it's crap". I'm left very disappointed by that.
If it doesn't get a GLSA, it doesn't get in the release tree. This may mean that we need to modify the GLSA process a bit so that ~arch packages found to be vulnerable get GLSAs as well. Although, release tree users won't have these ~arch versions anyway, so I don't see it being *that* big of an issue.
It would be worth checking to make sure that all security bugs for all stable packages get GLSAs first. I don't know whether they do or they don't.
Absolutely, it would be stupid to release it to users without testing that the upgrade path is even feasible. However, we can't test the upgrade with *all* packages in the tree, but we can certainly do it with certain "profiles" (gnome desktop, kde desktop, LAMP server, etc.) to try to cover as many bases as possible. This testing can be easily scripted.
Cool. Best regards, Stu -- gentoo-dev@gentoo.org mailing list
