> On 23 Oct 2021, at 02:55, Thomas Deutschmann <whi...@gentoo.org> wrote: > > On 2021-10-21 17:16, Mike Gilbert wrote: >> On Thu, Oct 21, 2021 at 4:05 AM Michał Górny <mgo...@gentoo.org> wrote: >>> 4. In the end, Security team isn't really respecting this policy. >>> In the end, this leads to absurdities like GLSA being released before >>> a package is stable on amd64, and confusing the users [4]. >> This is certainly an absurd mistake, but I think it is unrelated to >> the topic of your message. It looks like Whissi jumped the gun on >> releasing a GLSA, which could happen regardless of the policy. Am I >> missing some context? > > Yeah, #4 is bullshit. >
Well, it's not bullshit per se, it's just not consistent with the policy. We should update the policy to reflect real life. What I'd probably like us to do is have at least amd64 stable before publishing in future (and if there's a reason amd64 can't be, we probably can't/shouldn't stable on other arches anyway). > The security team was never happy with the situation to hold back GLSAs until > last architecture was marked stable. > > Saying that we are not respecting our own own policy is absurd. The team > discussed this in 2018 and we agreed that it is fine to already publish a > GLSA in case a GLSA is ready and when at least one major architecture (amd64 > or x86 at that time) was marked stable. That exception doesn't require a > formal policy update. > I don't get why this means we shouldn't just update the page..? > We even wanted to go one step further and release GLSA when no fixed version > is available at all to inform users and give them a chance to take actions on > their own (to be able to take actions on your own, i.e. you first need to be > aware of a problem). However, this would be too complicated and would > frustrate many users. Aye, although this would involve different instructions. > > The lived practice with releasing GLSA already when just one major > architecture has set stable keyword (and in most cases we covered amd64 and > x86 at release time) received good feedback and is accepted by users and > didn't cause any problems (can't remember that we ever got GLSA feedback for > other architectures than amd64 or x86). > best, sam
signature.asc
Description: Message signed with OpenPGP
