From mboxrd@z Thu Jan  1 00:00:00 1970
From: Agostino Sarubbo <ago@gentoo.org>
Subject: Re: security bugs and release
Date: Wed, 26 Jun 2013 17:24 +0200
Message-ID: <1739559.2FeUMdQsO2@devil>
References: <2052847.SzM2x6sscC@devil>
	<1372238494.18901.124.camel@zakaz.uk.xensource.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1372238494.18901.124.camel@zakaz.uk.xensource.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Campbell <Ian.Campbell@citrix.com>
Cc: xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On Wednesday 26 June 2013 10:21:34 Ian Campbell wrote:
> A new point release will rollup all the applicable security updates
> issued before that point.
> 
> In addition all of our releases are tagged in version control, so you
> can trivially find out what went into it.
> 
> You could also just run the latest stable-X.Y branch from xen.git. I
> wouldn't personally recommend doing so in production but it seems to be
> a good fit for your requirements.
I'm not a xen user. I manage and coordinate the security bugs on Gentoo Linux.

> 
> > Is there a real reason because you don't make a new release?
> 
> People who deploy and run production systems want a timely, targeted and
> low risk fix for a security issue, which they can be confident of
> deploying quickly, with a minimum of disruption to their service and
> with the lowest possible chance of breakage. A new release would
> necessarily contain other fixes not related to the security issue and
> therefore takes longer to produce and longer to test and deploy in order
> to reach the same level of confidence.
> 
> I think you will find that this approach to security support is quite
> common, especially among critical system components.

Yes, in case of package like xen, should be a risk update without have done a 
better test on e.g. another test machine.


Pasi in his mail made a great proposal. I'd like if you considerate it.
-- 
Agostino Sarubbo
Gentoo Linux Developer