[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Notes for xen summit 2018 design session] Process changes: is the 6 monthly release Cadence too short, Security Process, ...

On Tue, Jul 03, 2018 at 12:47:14PM +0200, Juergen Gross wrote:
> On 03/07/18 12:23, Lars Kurth wrote:
> > Combined reply to Jan and Roger
> > Lars
> > 
> > On 03/07/2018, 11:07, "Roger Pau Monne" <roger.pau@xxxxxxxxxx> wrote:
> > 
> >     On Mon, Jul 02, 2018 at 06:03:39PM +0000, Lars Kurth wrote:
> >     > We then had a discussion around why the positive benefits didn't 
> > materialize:
> >     > * Andrew and a few other believe that the model isn't broken, but 
> > that the issue is with how we 
> >     >   develop. In other words, moving to a 9 months model will *not* fix 
> > the underlying issues, but 
> >     >   merely provide an incentive not to fix them.
> >     > * Issues highlighted were:
> >     >   * 2-3 months stabilizing period is too long
> >     
> >     I think one of the goals with the 6 month release cycle was to shrink
> >     the stabilizing period, but it didn't turn that way, and the
> >     stabilizing period is quite similar with a 6 or a 9 month release
> >     cycle.
> > 
> > Right: we need to establish what the reasons are:
> > * One has to do with a race condition between security issues and the 
> > desire to cut a release which has issues fixed in it. If I remember 
> > correctly, that has in effect almost added a month to the last few releases 
> > (more to this one). 
> The only way to avoid that would be to not allow any security fixes to
> be included in the release the last few weeks before the planned release
> date. I don't think this is a good idea. I'd rather miss the planned
> release date.

Another option could be to make the release on time without any security
patches and then once the security issue is resolved to do a point
release. I'm gonna beat on the Rust drum again but they recently did a
1.27.0 release with a known issue. They felt it was more important to
remain with their 6 *WEEK* release cadence than to break that cadence.
They followed it up with a 1.27.1 release that fixed the issue. The
difference is for security issues that Xen puts out patches that don't
necessarily cleanly apply against the last release tarball and the
staging branch has other fixes other than a security issue in it making
it less clear and easy for a downstream to ship a fix.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.