From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: security bugs and release
Date: Wed, 26 Jun 2013 00:09:54 +0100
Message-ID: <51CA2342.3020902@citrix.com>
References: <2052847.SzM2x6sscC@devil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <2052847.SzM2x6sscC@devil>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Agostino Sarubbo <ago@gentoo.org>
Cc: xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On 25/06/2013 18:07, Agostino Sarubbo wrote:
> Hello,
>
> I'd like to know why when there is a new advisory you just release a patch 
> instead of a new release.
>
> This, in my opinion creates only confusion. For example, if I'm running 4.2.1 
> I don't exatly know which patches have been applied. If you say, this is fixed 
> in 4.2.2 I know that if I'm run that version, I'm fine.
>
> Is there a real reason because you don't make a new release?

I would be interested if you could provide examples of upstream projects
which do issues brand new releases for every security fix, rather than
applying the patch(es) to appropriate stable trees.  Downstream distros
certain do issue hotfixes/updates when they deem appropriate.

If there is any confusion regarding patches and versions, please refer
to http://wiki.xen.org/wiki/Security_Announcements which provides all
details (although I note it is out of date with respect to XSA-57).

~Andrew