[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] security bugs and release

On Wednesday 26 June 2013 10:21:34 Ian Campbell wrote:
> A new point release will rollup all the applicable security updates
> issued before that point.
> In addition all of our releases are tagged in version control, so you
> can trivially find out what went into it.
> You could also just run the latest stable-X.Y branch from xen.git. I
> wouldn't personally recommend doing so in production but it seems to be
> a good fit for your requirements.
I'm not a xen user. I manage and coordinate the security bugs on Gentoo Linux.

> > Is there a real reason because you don't make a new release?
> People who deploy and run production systems want a timely, targeted and
> low risk fix for a security issue, which they can be confident of
> deploying quickly, with a minimum of disruption to their service and
> with the lowest possible chance of breakage. A new release would
> necessarily contain other fixes not related to the security issue and
> therefore takes longer to produce and longer to test and deploy in order
> to reach the same level of confidence.
> I think you will find that this approach to security support is quite
> common, especially among critical system components.

Yes, in case of package like xen, should be a risk update without have done a 
better test on e.g. another test machine.

Pasi in his mail made a great proposal. I'd like if you considerate it.
Agostino Sarubbo
Gentoo Linux Developer

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.