On Wed, Apr 12, 2006 at 02:33:16PM +0200, VMiklos wrote: > that's not a too big problem even without a RELEASE file. i mean to > determine if we're in -current or -stable. the stable->0.4 conversion is > the best if it's based on the symlink at /pub/frugalware (if necessary, > i can add a repoman option for this so that rf can use it)
Please add this feature, as it makes out life easier. > > Having syncd is also good. We should handle it manually too, but it's > > always cool to have things done automatically. And please add mail > > support on fail too so we can keep track what is really done. > hmm, do we have a task for this? Of course. See #599 :) > let's see. basically i don't know how much work to backport changes with > our release cycle (6 months). for example when a newer version requires > a newer lib, then we should extract the security fix - these kind of > work is very different from the work which is done in -current. doing > both paralelly is a nice idea - let's hope it's possible Well, i don't know how much work this is, but simply bumping the packages in -stable doesn't work all the time. Adding only the security patch is much cleaner, but it's unambigously more difficult. Not only because of more work, but the possibility of errors. So if the developers of the program doesn't sign exactly what had changed because of security issues and what just because of some other reason it can be difficult to make a backport. > btw Gentoo has a separate sec team for this, too. so maybe we should > consider this idea. something like: > 1) SEC team notifies the m8r > 2) m8r fixes the problem in -current > 3) SEC team backports the fix to -stable > > or this would be too much for the SEC team? Maybe not, but in this case the hard work is done by the SEC team, not the m8r as fixing in -current means just a version bump most the time. Anyway this methot seems to be best way, but it makes SEC team's life more complex than i've thought. We'll see how this things work out. > ironiq? if not, then we can still create an alias, for example > [EMAIL PROTECTED] which points to the necessary people :) Alias is even better. > probably after a few advistories we can make a script for this (less > time, less typos). and maybe here we should consider signing these mails > with gpg -> another question: a common key for the sec devels or one of > each dev? i'm not sure about this (at Slack this is not a question, only > Pat does such updates ;) ) Yes, a script seems to be a good idea. Having common key is better IMO. And signing is musthave :) -- voroskoi _______________________________________________ Frugalware-devel mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-devel
