[csw-users] security updates on the stable branch?

James Lee james at blastwave.org
Sat Apr 22 13:06:01 CEST 2006


On 20/04/06, 18:29:16, Pub cra <pub.cra at gmail.com> wrote regarding Re:
[csw-users] security updates on the stable branch?:

> Sorry, I'm was thinking of the debian style of security updates when I
> posed the question: the update (patching/upgrade, QA and release
> happens by package and not by release.
> So by example when an apache vulnerability is found, only *that*
> package is patched and re-released inmediately. So between releases
> you have lots of updates.

> Blastwaves seems to work diffently if I read your mail correctly. You
> correct a collection of bugs on several packages and release a
> "release" (on timely basis, but with mid-term releases if necessary).
> Advantage is less breakage, disavantage is that it's *possible * that
> you'll be running vulnerable software for weeks or months (until the
> next mid-term stable release).

A release is a collection of individual packages, the problem is that
most packages don't work in isolation as just individual packages and
sometimes a particular version package only works when used in
combination with other package of particular versions.  Pick-n-mix
of packages or adding one-at-a-time does *not* work.

A "stable release" is a QAed collection, and is distinct from "a
release to unstable" (or "a release to stable" if there was such a
thing).  A "stable release" should be seen as an "integrated software
suite".

Examples: CSWfoo requires CSWbar, then CSWbar is updated.  Does CSWfoo
still work?  Answer: not necessarily.  If it is found that in order to
add CSWbar a new CSWfoo is needed then *both* have to be and will be
added to stable.  The chain can get longer because it might be that
CSWbaz either requires or supports CSWfoo and it too has to be updated.

Those packages not affected will not be added to stable mid term.


The term "package tree" is often used, it's not a tree in the usual
sense, the interconnection forms not a tree but a network:
http://pfelecan.free.fr/blastwave/dependencyGraph/cswdepgraph.html



As to the immediacy of response to security updates it's only happened
once in our short history.  Our posgresql packages with the fix were
in the stable release candidate and being tested before the problem
was publicly announced by Postgres themselves.  Stable does not mean
just old.




> Please do not read my mail as a critic, as I really do appreciate your
> work. I just need to evaluate things correctly before taking a
> decision to move a serverpark from sunfreeware/self-compile to
> blastwave.

Not at all, you ask both probing and useful questions.  I know that
many of these issues are not clear from the Blastwave documentation.
Blastwave has the potential to be great, it's not there yet, but I
hope at least that the direction is correct and it will progress.





James.



More information about the users mailing list