|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] security bugs and release
On Tue, 2013-06-25 at 19:07 +0200, Agostino Sarubbo wrote: > Hello, > > I'd like to know why when there is a new advisory you just release a patch > instead of a new release. > > This, in my opinion creates only confusion. For example, if I'm running 4.2.1 > I don't exatly know which patches have been applied. If you say, this is > fixed > in 4.2.2 I know that if I'm run that version, I'm fine. A new point release will rollup all the applicable security updates issued before that point. In addition all of our releases are tagged in version control, so you can trivially find out what went into it. You could also just run the latest stable-X.Y branch from xen.git. I wouldn't personally recommend doing so in production but it seems to be a good fit for your requirements. > Is there a real reason because you don't make a new release? People who deploy and run production systems want a timely, targeted and low risk fix for a security issue, which they can be confident of deploying quickly, with a minimum of disruption to their service and with the lowest possible chance of breakage. A new release would necessarily contain other fixes not related to the security issue and therefore takes longer to produce and longer to test and deploy in order to reach the same level of confidence. I think you will find that this approach to security support is quite common, especially among critical system components. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |