Here below is my understanding of what has been proposed and (correct me 
if I am wrong) appear to be in the process of being implemented.

Fedora Legacy QA Process Overview w/Proposed Changes
----------------------------------------------------

  1.  Vulnerability discerned.
  2.  Bugzilla ticket for package and vulnerability (with CVE #) opened.
  3.  Source package(s) for vulnerability proposed.
  4.  People do SOURCE LEVEL ("PUBLISH") QA on the packages and report
      in Bugzilla their findings.
  5.  Once all source packages have been voted for PUBLISH, new 
      signed packages are built and both .src.rpm and (.i386|.x86_64).rpm
      packages are pushed to updates-testing.  An announcement goes out
      to fedora-legacy-list announcing that packages are ready for testing
      and asking for participation in doing VERIFY QA.
       NOTE:  If there are any objections in the PUBLISH QA or if any
        distro does not receive a PUBLISH vote, nothing further is done
        with that package until the issue(s) are resolved.

Old Policy - VERIFY QA to RELEASE:
  6.  If no positive votes happen on binary packages in updates-testing,
      they stay in updates-testing and go no further.
  7.  If one positive vote happens on one distro for pkgs. in updates-
      testing, a 4-week timeout is set.   If no further votes happen
      before timeout, then after 4 weeks, all packages are released to
      updates.
  8.  If two or more distro's (but less than all distros) have positive
      votes, the 4-week timeout is reduced to a two-week timeout at the
      time the 2nd distro has a "+" vote.  At timeout, all packages are
      released to updates.
  9.  If all distros get "+" votes, binary packages are considered fully
      tested, and can be released to updates straight away.
      
New (Proposed Policy) - VERIFY QA to RELEASE:
  6.  If no positive votes happen on binary packages in updates-testing,
      they will be released after a 2-week timeout after having placed
      in updates-testing.
  7.  If one positive vote happens on one distro for the pkgs. in updates-
      testing, the 2-week timeout is reduced to 1-week from the point
      of the first positive vote.
  8.  If two or more distro's (but less than all distros) have positive
      votes, the same timeout in step (7) of the new policy applies.
  9.  As in the old policy, if all distros get "+" votes, binary pack-
      ages are considered fully tested and can be released to updates
      right away.
      
Both policies:
 10.  Packages released to updates from updates-testing are announced
      on fedora-legacy-list and fedora-legacy-announce-list.


-David

--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

Reply via email to