[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Xen Summit 2023 Design Session: Stable Releases

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Henry Wang <Henry.Wang@xxxxxxx>
  • Date: Mon, 26 Jun 2023 20:31:03 +0000
  • Accept-language: zh-CN, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GBM6UfEb0tfydvZVwh/Qvf8w7fmLo3MsFup7d7Get+o=; b=bJaL5/honfv7n1ZszvsZn5DKs+3DfBpb/RlLqc0gCc8/kq7nT63l0RiFylCc6CQuyHo9VYwtcTL2yZtv+TUFsyrC7yts/XzEHM7BXalEYL27Rfl1DawbT4+GgHIscE1ZMAgw3CT87TaQGE+9RXxNZTSKVUF64ik1jBp5K5iK/IDrSVuRIFqxO48xjDKik0nd03JuUX+fWf8Vp6P8aJtOiHaIHCQSfAnHzhDfBgN0ORTSylTJw9agb9UsHaCxDUPs0hVEYUCIUY7xcEl/ZC7N76SW5XouUs/fdSlK61RF6FOZBjoy018MNOxHm1XOeMphPiNmaQShk8lpnto9wRdiSg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dYOat4n4q7h7/9YXIzunJ0vbURQ43d/IFlufN+XLx4d41QSEfvIM2lTLiVH8X+kXnOM9kTBVBduLjb36+tISrDV08hXeOhzkCrirSt0vIZ1jX44DwWFSGkSFPshjm+AfkI/n57sgRJ1EdSRkISLNjNnQrpLDOYijsCJgLRNPcvQfBXFdj9prw8tFCTFl7rK2gtNwugLALRR6a2fuiFsty8QZdEMzngqGX2kMqtpDRS2iHEt6Cf1/R8JM3SKT6S6Gv+8nYdeE8jIwYpNW19GTLUwUEcIKOcUD2M8S8UgMOL8ypqf0y0hMaSolwFZtPSIn/0XahMENnzTvwXJbESNPFw==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Luca Fancellu <Luca.Fancellu@xxxxxxx>
  • Delivery-date: Mon, 26 Jun 2023 20:31:43 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AdmobMSQTHaF+Lp8SkK9E1+SOwB5PA==
  • Thread-topic: Xen Summit 2023 Design Session: Stable Releases
Hi all,

Below is the note that me and Luca have taken for the stable release design 
session.
Thanks Luca for sharing his notes.

Jan: for long time we've done time-based stable releases, but overtime
     it is brought up purely time based release is not a good idea.
     Sometimes because of XSA, sometimes backported patch does not apply
     cleanly. One possible solution is one stable release per XSA, but we
     need to consider we need to be practical, too frequent releases brings
     problem for people.
     One of the problem is, that patches are not public, before the embargo,
     so the public tree cannot be prepared for the release until the embargo
     expires. Maybe some preparation can be done upfront?
Jan: Should we change the stable release strategy, Do people think that we 
     should change timely cadence of the release?
B: This is only for stable release?
Jan: Yes, Major release are going to stay as they are, stable release are
     the subjects.
G: We need to know what the users of stable releases, what do they want
A: Current thing is good for Qubes
A: I've been informed that some customers in mailing list wants more frequent
   release, fedora, etc.
A: I know some projects cut releases once per security fix. I got the 
   impression from customers that they want one release per security issue.
   what they want is after the embargo, they can pull the tag with the security
   fix.
B: I am on the yocto side, having downstream patches stored in yocto is not 
   good. Bumping versions is easier.
A: sometimes the people preparing the tarball of Xen is not technically
   "users". The point of Xen security team is to deliver the security fixes
   as easy as possible to everywhere.
Jan: Sometimes it is hard to get the binaries on time after the embargo. We 
   need to have a model to have binaries right after the embargo
B: Most of the time yocto is in the middle. Xen version is bumped in yocto 
   every yocto release, by then the XSAs are pulled in. for yocto it is not
   possible to maintain the single XSA by downstream patches
Jan: why dont we do partial release, tags but no tarballs
A: that would be satisfactory for the people who complains, normally no one
   uses tarballs now. This would be entirely fine.
G: We can ask who is using the tarballs, we can ask LF.
Jan: dependency for the leaf trees and qemu
B: tarballs is useful for students and new starters without Xen knowledge.
Julien: We can use gitlab to make the tarball?
A: tarballs from Xen dir is not 100% the tree. It contains more such as qemu
   dep so not be directly done by gitlab.
B: we need to be realistic about what we can do in short terms. The number of
   tarball downloads would be the initial question.
Jan: mini-os
A: Just add a tag for sub-releases in xen.org would be good for most of people
   complaining.
G: we can ask in xen-devel to collect feedback about tarball. maybe a survey.
B: You can apply the tag as soon as you apply the XSA. We can also not limit 
   this way to only XSA.
Jan: Too many releases?
A: we can have even more digits in the release numbers
Jan: for interim releases, make no announcements, no tarballs, no website, but 
   for normal stable releases, do them all.
A: Users do not really cares about tarballs, websites. 
G: we can put more info about these release in the new website or gitlab
   instead of xenbits website.
Julien: Can we check the number of downloads?
A: We check the number of downloads, if nobody care, we announce that we move
   the website etc. about the releases to new places.
G: also ask users what do they need.
B: You need a phase out. You cannot do all the movement instantly. You do it 
   step by step with proper guidance for users.
Jan: If we do more frequent release, we cannot ping people about backports as a 
   new release is coming, because this means revealing there is a security hole
   in the code and the XSA is coming. we need to ask for more frequent of 
   backports and probably give Anthony commit privileges for maintaining the 
   tools.
G: Summary: if we don't have to do the tarballs for sub release, it is fine. If 
   we have to try to figure out who is consuming the releases as an 
understanding,
   then start from there.
   Putting a tag will solve the complaints from people, there is a general  
agreement.
   Check the number of downloads, put something out something in a public page 
   to ask feedback on the retirement of the tarball. So we should phase out 
   that, in an agreed time.
Jan: Discuss in community call

Kind regards,
Henry

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.