[prev in list] [next in list] [prev in thread] [next in thread]
List: centos
Subject: Re: [CentOS] This doesn't make sense
From: Lamar Owen <lowen () pari ! edu>
Date: 2011-09-23 20:04:53
Message-ID: 201109231604.53808.lowen () pari ! edu
[Download RAW message or body]
On Friday, September 23, 2011 03:17:07 PM Dennis Jacobfeuerborn wrote:
> On 09/23/2011 07:57 PM, Lamar Owen wrote:
> > Have you pondered the moral implications of knowlingly installing insecure \
> > software and placing it on the public internet? Oh, wait, it's not a moral \
> > issue, since there is no such thing as secure software.
>
> It is a moral issue if you know that you cannot provide timely updates.
You cannot know how long an update will take until the update is done, thanks to the \
iterative process of insuring binary compatability.
> "Fun" doesn't enter into it. Apparently there existed an updated httpd
> package on Sept. 1st that was ready to go and yet here we are three weeks
> later with no release but more importantly no timely message that it will
> in fact not be released as planned.
I don't think you understand. The process is iterative; if QA fails it's all the way \
back up to building it again. A package may have existed three weeks ago in terms of \
being built; if that package had passed binary testing and QA it would have been \
released by now.
As to 'fun' entering into it, you also realize these guys are volunteers, right? \
Make a volunteer's life too hard, and that volunteer stops volunteering. These \
volunteers *owe* the users of CentOS *nothing*. I'm just glad they've done what \
they've done.
> Again if it's not possible for the project to keep up with the updates then
> this should be openly communicated so users can ponder alternatives.
I disagree. The project has no obligation to communicate *anything* to me; I'll \
watch the announcements, and when it's announced, I'll get it. I cannot expect any \
more than that from any volunteer project. If the project chooses to communicate \
that's great and fine, but I cannot expect it when I am not entitled to it by some \
means. Sure, that's inconvenient to users of the project's distribution; but users \
of any free, volunteer-run project need to understand what they're getting themselves \
into before they install it.
Perhaps the project should more adequately communicate during installation that \
timely updates, bug-free opeeration, and security fixes are not guaranteed, and \
require the user to agree to that before installation proceeds.
The CentOS project has done a fantastic job over the years, and it's easy to get \
spoiled to being a freeloader. But updates don't build and QA themselves.
> And if it's not possible to release specific high profile/impact updates in
> a timely fashion for some reason then users should be informed too so they
> can deal with the situation in other ways.
Again, it is impossible to know how long a package release will take when you start, \
or even when you've built it for the twentieth time. Full 100% binary compatibility \
may mean packages have to be built in a particular order, and it may mean a set of \
updates has to be built together in order to pass binary compatibility. Once it has \
passed the binary check it still has to be QA'd, and if it fails you are at square \
one in ways, building again in a slightly different way to a slightly different \
buildroot, correcting what QA found. And the fix for one QA issue could easily cause \
another.
A package as important as httpd must pass muster. A broken update is worse than no \
update at all.
> Yes, QA'ing and releasing a package may be time consuming but sending out
> an email is not and would do a great deal to at least aid users in their
> decision making.
Karanbir sent out an e-mail with his best estimate of the time; the estimate was \
incorrect, but due to the nature of the beast it is impossible to know how long it \
really will take.
Perhaps the QA process could be more open; perhaps it should be. Perhaps it \
shouldn't be, too. I'm not in a position to judge that.
Rosman, NC 28772
http://www.pari.edu
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic