On 2021-10-21 17:16, Mike Gilbert wrote:
On Thu, Oct 21, 2021 at 4:05 AM Michał Górny <mgo...@gentoo.org> wrote:4. In the end, Security team isn't really respecting this policy. In the end, this leads to absurdities like GLSA being released before a package is stable on amd64, and confusing the users [4].This is certainly an absurd mistake, but I think it is unrelated to the topic of your message. It looks like Whissi jumped the gun on releasing a GLSA, which could happen regardless of the policy. Am I missing some context?
Yeah, #4 is bullshit.The security team was never happy with the situation to hold back GLSAs until last architecture was marked stable.
Saying that we are not respecting our own own policy is absurd. The team discussed this in 2018 and we agreed that it is fine to already publish a GLSA in case a GLSA is ready and when at least one major architecture (amd64 or x86 at that time) was marked stable. That exception doesn't require a formal policy update.
We even wanted to go one step further and release GLSA when no fixed version is available at all to inform users and give them a chance to take actions on their own (to be able to take actions on your own, i.e. you first need to be aware of a problem). However, this would be too complicated and would frustrate many users.
The lived practice with releasing GLSA already when just one major architecture has set stable keyword (and in most cases we covered amd64 and x86 at release time) received good feedback and is accepted by users and didn't cause any problems (can't remember that we ever got GLSA feedback for other architectures than amd64 or x86).
-- Regards, Thomas Deutschmann / Gentoo Linux Developer fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
OpenPGP_signature
Description: OpenPGP digital signature
