[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] security bugs and release

On Wed, Jun 26, 2013 at 10:21:34AM +0100, Ian Campbell wrote:
> > Is there a real reason because you don't make a new release?
> People who deploy and run production systems want a timely, targeted and
> low risk fix for a security issue, which they can be confident of
> deploying quickly, with a minimum of disruption to their service and
> with the lowest possible chance of breakage. A new release would
> necessarily contain other fixes not related to the security issue and
> therefore takes longer to produce and longer to test and deploy in order
> to reach the same level of confidence.

I think what he meant is why not release a new version with only security 
patches in it,
so if the current Xen version is 4.2.2, and there's a new security issue being 
Xen project would release Xen 4.2.3 with *only* the security fix(es) added on 
top of 4.2.2.

Some projects do that, others don't.

Personally I don't have a problem with the current model of only adding the 
security fixes 
to stable branches, without a new tarball release.

-- Pasi

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.