[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen release cycle revisited

On 14/12/17 11:38, Juergen Gross wrote:
On 14/12/17 12:28, Julien Grall wrote:

On 14/12/17 07:56, Juergen Gross wrote:
Hi all,

Hi Juergen,

I would recommend to CC committers on that thread, so your thread don't
get lost in the xen-devel meanders :).

with 4.10 more or less finished it is time to plan for the next release
4.11. Since 4.7 we are using a 6 month release cycle [1] targeting to
release in June and December.

While this worked reasonably well for 4.7, 4.8 and 4.9 we had some
difficulties with 4.10: bad luck with security patch timing shifted the
4.10 release more towards mid of December. Doing thorough testing of the
latest security patches and trying to release at least 10 days before
Christmas seemed to be almost mutually exclusive goals.

So what do we learn from this experience?

1. Should we think about other planned release dates (e.g. May and
     November - would that collide with any holiday season)?

2. Shouldn't we have tried to include the latest security patches in
     4.10, resulting in the need for 4.10.1 at once?

I am not sure to understand this questions here.

Hmm, yes, this is somehow garbled.

Next try:

2. Should we have released 4.10 without those late security patches,
    resulting in the need for 4.10.1 at once?

We were not ready to release on the 2nd December. This would have put the release date too close to XSAs published date. The risk was that the security issues announcement would overshadow the release announcement.

3. Should we let the release slip for almost a month in such a case?

The problem is XSAs can happen at any time. Let's imagine we decided to
release in January, what if a new security was discovered during
christmas? Are we going to slip the release again?

Go back to 2. :-)

4. Should we try harder to negotiate embargo dates of security issues to
     match the (targeted) release dates?

Those 4 XSAs was first released under embargoed a couple of days before
the targeted release dates.

The usual embargo period is 2 weeks. I think it would be difficult to
request a shorter embargo period because downstream product need time to
apply/test the security fixes.

Right. What about a longer embargo so that it ends well after the
release date? Last minute XSAs just before a 2-3 week period where
a release can't happen (like at Xmas) are the problem.

I guess that could work. The security team would have to convince the discoverer if he/she is happy with it.


Julien Grall

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.