On 10/26/2016 12:23 PM, Pavel Raiskup wrote:
On Tuesday, October 25, 2016 7:37:32 PM CEST Kevin Fenzi wrote:
3. AFAIK Fedora has no means by which it can participate in embargoed
updates. For this to work, I think there ought to be private git
branches, a way to get Koji to make a private build from a private git
branch, and a way to get private karma on a private update. Then,
when an embargo is lifted, the packager could merge the private branch
in, the various infrastructure bits could notice that the very same
git commit is now public and permit all of the private builds,
updates, and karma to become public and allow an immediate push to
updates.
Yep. Thats a gigantic pile of work there for sure.
That's too vague statement, really. Can you make a better estimation? As
far as I understand, there are processes in Debian which allow them
preparing CVE builds so they are able to provide "testing" builds to users
immediately after the public announcement.
Debian has a completely separate installation of its equivalent to Koji
(the dak part, the builders are separate from archive management).
Nowadays, it's source code is mostly up-to-date to what the main archive
uses, but there are still lingering data synchronization issues.
Debian does not build from SCM, but directly from maintainer-uploaded
source packages, so there is no need to have a private SCM.
The security archive is separate as well, and it is served by a
Debian-maintained push mirror network, unlike the main archive, where
most users use third-party mirrors.
For Fedora, I would suggest to replicate the separate security archive
with its push mirrors. The way the Fedora updates repository is updated
seems to cause far more delays than what is lost due to build delays
(the only part the embargoed builders could improve).
Florian
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
