[prev in list] [next in list] [prev in thread] [next in thread] 

List:       centos
Subject:    Re: [CentOS] This doesn't make sense
From:       Lamar Owen <lowen () pari ! edu>
Date:       2011-09-23 20:04:53
Message-ID: 201109231604.53808.lowen () pari ! edu
[Download RAW message or body]

On Friday, September 23, 2011 03:17:07 PM Dennis Jacobfeuerborn wrote:
> On 09/23/2011 07:57 PM, Lamar Owen wrote:
> > Have you pondered the moral implications of knowlingly installing insecure \
> > software and placing it on the public internet?  Oh, wait, it's not a moral \
> > issue, since there is no such thing as secure software.
> 
> It is a moral issue if you know that you cannot provide timely updates.

You cannot know how long an update will take until the update is done, thanks to the \
iterative process of insuring binary compatability.

> "Fun" doesn't enter into it. Apparently there existed an updated httpd 
> package on Sept. 1st that was ready to go and yet here we are three weeks 
> later with no release but more importantly no timely message that it will 
> in fact not be released as planned.

I don't think you understand.  The process is iterative; if QA fails it's all the way \
back up to building it again.  A package may have existed three weeks ago in terms of \
being built; if that package had passed binary testing and QA it would have been \
released by now.

As to 'fun' entering into it, you also realize these guys are volunteers, right?  \
Make a volunteer's life too hard, and that volunteer stops volunteering.  These \
volunteers *owe* the users of CentOS *nothing*.  I'm just glad they've done what \
they've done.

> Again if it's not possible for the project to keep up with the updates then 
> this should be openly communicated so users can ponder alternatives.

I disagree.  The project has no obligation to communicate *anything* to me; I'll \
watch the announcements, and when it's announced, I'll get it.  I cannot expect any \
more than that from any volunteer project.  If the project chooses to communicate \
that's great and fine, but I cannot expect it when I am not entitled to it by some \
means.  Sure, that's inconvenient to users of the project's distribution; but users \
of any free, volunteer-run project need to understand what they're getting themselves \
into before they install it.

Perhaps the project should more adequately communicate during installation that \
timely updates, bug-free opeeration, and security fixes are not guaranteed, and \
require the user to agree to that before installation proceeds.

The CentOS project has done a fantastic job over the years, and it's easy to get \
spoiled to being a freeloader.  But updates don't build and QA themselves.

> And if it's not possible to release specific high profile/impact updates in 
> a timely fashion for some reason then users should be informed too so they 
> can deal with the situation in other ways.

Again, it is impossible to know how long a package release will take when you start, \
or even when you've built it for the twentieth time.  Full 100% binary compatibility \
may mean packages have to be built in a particular order, and it may mean a set of \
updates has to be built together in order to pass binary compatibility.  Once it has \
passed the binary check it still has to be QA'd, and if it fails you are at square \
one in ways, building again in a slightly different way to a slightly different \
buildroot, correcting what QA found.  And the fix for one QA issue could easily cause \
another.

A package as important as httpd must pass muster.  A broken update is worse than no \
update at all. 

> Yes, QA'ing and releasing a package may be time consuming but sending out 
> an email is not and would do a great deal to at least aid users in their 
> decision making.

Karanbir sent out an e-mail with his best estimate of the time; the estimate was \
incorrect, but due to the nature of the beast it is impossible to know how long it \
really will take.

Perhaps the QA process could be more open; perhaps it should be.  Perhaps it \
shouldn't be, too.  I'm not in a position to judge that.

Rosman, NC  28772
http://www.pari.edu
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic