From Fedora Project Wiki

m (s/STR/SRT/ (Security Response Team))
(add drpm note)
Line 18: Line 18:
* Dependencies - package may require something newer in buildroot thats not an update, need to make sure and test it.  
* Dependencies - package may require something newer in buildroot thats not an update, need to make sure and test it.  
* Mirrormanager - should we even use it? would require 1hr to see the changes in repo and make new metalink, and then require mirroring time to get out to mirrors
* Mirrormanager - should we even use it? would require 1hr to see the changes in repo and make new metalink, and then require mirroring time to get out to mirrors
* drpms? avoiding them would be much easier.
* Some kind of staging of finished repo to test with/check before making live?
* Some kind of staging of finished repo to test with/check before making live?



Revision as of 15:51, 6 October 2014

Urgent Updates Policy

DRAFT
This page is a draft and not approved or in effect

Background

From time to time urgent updates come along that we would like to push to our users as fast as possible. These include urgent security fixes or updates that fix criticial fuctionality (like the ability to get more updates). We will have a side repo called 'urgent-updates' that contains these fixes for a short time. Packages added to this repo are manually signed and added, then removed a week after the regular updates are pushed to stable.

Requirements

  • MUST be a urgent security or bugfix update (proposed by SRT?)
  • MUST have a regular bodhi update submitted.
  • MUST file a releng ticket and indicate that this update should be added to the urgent-updates repo

Things we need to figure out

  • Multilib - only x86_64, perhaps we can do this manually?
  • Dependencies - package may require something newer in buildroot thats not an update, need to make sure and test it.
  • Mirrormanager - should we even use it? would require 1hr to see the changes in repo and make new metalink, and then require mirroring time to get out to mirrors
  • drpms? avoiding them would be much easier.
  • Some kind of staging of finished repo to test with/check before making live?

Workflow

  • update/fix is commited and built.
  • maintainer submits bodhi updates as normal
  • maintainer (or interested folks) submit releng ticket asking for urgent update addition.
  • build(s) are signed and added to urgent-updates repo (with multilib/deps?)
  • releng asks qa to test/confirm updates available.
  • mirrormanager updates metalink and updates go to users. (optionally)
  • after update is in stable for 1 week, remove from urgent-updates repo.

References

https://fedorahosted.org/rel-eng/ticket/5886