On 14/12/17 13:43, Julien Grall wrote:
> On 14/12/17 11:38, Juergen Gross wrote:
>> On 14/12/17 12:28, Julien Grall wrote:
>>> On 14/12/17 07:56, Juergen Gross wrote:
>>>> Hi all,
>>> Hi Juergen,
>>> I would recommend to CC committers on that thread, so your thread don't
>>> get lost in the xen-devel meanders :).
>>>> with 4.10 more or less finished it is time to plan for the next release
>>>> 4.11. Since 4.7 we are using a 6 month release cycle [1] targeting to
>>>> release in June and December.
>>>> While this worked reasonably well for 4.7, 4.8 and 4.9 we had some
>>>> difficulties with 4.10: bad luck with security patch timing shifted the
>>>> 4.10 release more towards mid of December. Doing thorough testing of
>>>> the
>>>> latest security patches and trying to release at least 10 days before
>>>> Christmas seemed to be almost mutually exclusive goals.
>>>> So what do we learn from this experience?
>>>> 1. Should we think about other planned release dates (e.g. May and
>>>>      November - would that collide with any holiday season)?
>>>> 2. Shouldn't we have tried to include the latest security patches in
>>>>      4.10, resulting in the need for 4.10.1 at once?
>>> I am not sure to understand this questions here.
>> Hmm, yes, this is somehow garbled.
>> Next try:
>> 2. Should we have released 4.10 without those late security patches,
>>     resulting in the need for 4.10.1 at once?
> We were not ready to release on the 2nd December. This would have put
> the release date too close to XSAs published date. The risk was that the
> security issues announcement would overshadow the release announcement.

Okay. So for me it seems as if a planned release early December is the
main problem: either the release slips no more than 2 weeks or it will
slip for more than 5 weeks.

Having only 2 weeks of spare time is a major risk.

>>>> 3. Should we let the release slip for almost a month in such a case?
>>> The problem is XSAs can happen at any time. Let's imagine we decided to
>>> release in January, what if a new security was discovered during
>>> christmas? Are we going to slip the release again?
>> Go back to 2. :-)
>>>> 4. Should we try harder to negotiate embargo dates of security
>>>> issues to
>>>>      match the (targeted) release dates?
>>> Those 4 XSAs was first released under embargoed a couple of days before
>>> the targeted release dates.
>>> The usual embargo period is 2 weeks. I think it would be difficult to
>>> request a shorter embargo period because downstream product need time to
>>> apply/test the security fixes.
>> Right. What about a longer embargo so that it ends well after the
>> release date? Last minute XSAs just before a 2-3 week period where
>> a release can't happen (like at Xmas) are the problem.
> I guess that could work. The security team would have to convince the
> discoverer if he/she is happy with it.

Sure, like Ian pointed out in another thread.


Xen-devel mailing list

Reply via email to