On 17/07/2019 13:37, Jan Beulich wrote: > On 17.07.2019 12:33, George Dunlap wrote: >>> On Jul 16, 2019, at 11:03 PM, Andrew Cooper >>> >>> We could trivially throw the fixes into the branch, tag it, sign it and >>> throw it out into the open, but doing that on the embargo date itself >>> would result in an official release of Xen which has had 0 testing in >>> the incumbent test system. >> The point is that anyone who ships / deploys a fix on the disclosure date >> is pretty much shipping exactly that. If it’s not good enough to sign, >> why is it good enough to deploy? > I think the security fixes themselves are good enough to deploy, perhaps > with the assumption that consumers of our pre-disclosure list have done > some testing on their own. The stable trees, however, contain more than > just security fixes, and can have regressions (most likely due to > backporting mistakes).
Right, but e.g. proposed changing the commit/push model whereby all changes must pass CI before they get merged would reduce the likelyhood of bad backports getting into staging-* in the first place. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel