[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] security bugs and release

On Tue, 2013-06-25 at 19:07 +0200, Agostino Sarubbo wrote:
> Hello,
> I'd like to know why when there is a new advisory you just release a patch 
> instead of a new release.
> This, in my opinion creates only confusion. For example, if I'm running 4.2.1 
> I don't exatly know which patches have been applied. If you say, this is 
> fixed 
> in 4.2.2 I know that if I'm run that version, I'm fine.

A new point release will rollup all the applicable security updates
issued before that point.

In addition all of our releases are tagged in version control, so you
can trivially find out what went into it.

You could also just run the latest stable-X.Y branch from xen.git. I
wouldn't personally recommend doing so in production but it seems to be
a good fit for your requirements.

> Is there a real reason because you don't make a new release?

People who deploy and run production systems want a timely, targeted and
low risk fix for a security issue, which they can be confident of
deploying quickly, with a minimum of disruption to their service and
with the lowest possible chance of breakage. A new release would
necessarily contain other fixes not related to the security issue and
therefore takes longer to produce and longer to test and deploy in order
to reach the same level of confidence.

I think you will find that this approach to security support is quite
common, especially among critical system components.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.