|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xen release cycle revisited
On 14/12/17 13:43, Julien Grall wrote: > > > On 14/12/17 11:38, Juergen Gross wrote: >> On 14/12/17 12:28, Julien Grall wrote: >>> >>> >>> On 14/12/17 07:56, Juergen Gross wrote: >>>> Hi all, >>> >>> Hi Juergen, >>> >>> I would recommend to CC committers on that thread, so your thread don't >>> get lost in the xen-devel meanders :). >>> >>>> with 4.10 more or less finished it is time to plan for the next release >>>> 4.11. Since 4.7 we are using a 6 month release cycle [1] targeting to >>>> release in June and December. >>>> >>>> While this worked reasonably well for 4.7, 4.8 and 4.9 we had some >>>> difficulties with 4.10: bad luck with security patch timing shifted the >>>> 4.10 release more towards mid of December. Doing thorough testing of >>>> the >>>> latest security patches and trying to release at least 10 days before >>>> Christmas seemed to be almost mutually exclusive goals. >>>> >>>> So what do we learn from this experience? >>>> >>>> 1. Should we think about other planned release dates (e.g. May and >>>> November - would that collide with any holiday season)? >>>> >>>> 2. Shouldn't we have tried to include the latest security patches in >>>> 4.10, resulting in the need for 4.10.1 at once? >>> >>> I am not sure to understand this questions here. >> >> Hmm, yes, this is somehow garbled. >> >> Next try: >> >> 2. Should we have released 4.10 without those late security patches, >> resulting in the need for 4.10.1 at once? > > We were not ready to release on the 2nd December. This would have put > the release date too close to XSAs published date. The risk was that the > security issues announcement would overshadow the release announcement. Okay. So for me it seems as if a planned release early December is the main problem: either the release slips no more than 2 weeks or it will slip for more than 5 weeks. Having only 2 weeks of spare time is a major risk. > >> >>> >>>> >>>> 3. Should we let the release slip for almost a month in such a case? >>> >>> The problem is XSAs can happen at any time. Let's imagine we decided to >>> release in January, what if a new security was discovered during >>> christmas? Are we going to slip the release again? >> >> Go back to 2. :-) >> >>> >>>> >>>> 4. Should we try harder to negotiate embargo dates of security >>>> issues to >>>> match the (targeted) release dates? >>> >>> Those 4 XSAs was first released under embargoed a couple of days before >>> the targeted release dates. >>> >>> The usual embargo period is 2 weeks. I think it would be difficult to >>> request a shorter embargo period because downstream product need time to >>> apply/test the security fixes. >> >> Right. What about a longer embargo so that it ends well after the >> release date? Last minute XSAs just before a 2-3 week period where >> a release can't happen (like at Xmas) are the problem. > > I guess that could work. The security team would have to convince the > discoverer if he/she is happy with it. Sure, like Ian pointed out in another thread. Juergen _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |