[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[2002-04-30] Release Status Update

Hello world,

So, it's April 30th (for most of the planet, anyway), which probably means
folks are beginning to get mildly curious about whether woody'll actually
be ready for release tomorrow. The answer is a definite "kind-of". Which
is to say, "no".

On the upside, woody itself is ready to be released. The only outstanding
changes that need to be made are the standard security fixes that need
to be made throughout the lifetime of stable anyway.

Unfortunately, that's exactly where we've dropped the ball: the security
team presently don't have the resources to handle security advisories
for woody [0]. While there has been a plan in place for roughly a year
on how to handle this ("rbuilder", for those playing along at home),
it hasn't been successfully rolled out across more than a handful
of the architectures we wish to support, and it further doesn't seem
like trying to rush it now will be particularly effective. As such,
an alternate arrangement, involving some moderately significant changes
to the existing autobuilder system are being made, which should become
active over the next week or so.

Naturally, we will not be making the woody release until we have a viable
mechanism for making timely security updates.

On the technical side of things, the only other significant problem we're
having is that we have so far been unable to produce fully successful
builds of CD images for alpha and sparc. This is being worked on, but may
mean that sparc and alpha CD images will be unavailable at release time.

The other signficant issue that's come up is a poor sense of timing on
behalf of a fair number of people. To take two fairly straightforward
examples: a few days before the expected release is not the time to file
eighty or ninety release-critical bugs about issues that have been being
tracked outside the BTS in a satisfactory manner for months; similarly,
it's far from ideal to have delayed the fix for the nscd bug (which has
been open for over a month and requires a new upload of the glibc package
to fix) until the very last day before release. These aren't isolated
examples: there's been significant amounts of "QA" work (for example,
checking buildability for binary-all packages; checking for packages that
modify conffiles) that has only been started _after_ the time when it's
reasonable to try doing anything about it, and there've been significant
numbers of uploads rushed in at the last minute for problems that could've
been resolved either by the maintainer or by NMU weeks or months ago.

These are two sides of the same coin, really: fixes need to be done
early rather than late so that they can be tested and, if necessarily,
fixed further, and problems need to be found even earlier so that there's
time to fix the problem right. It might be better late than never, but
really the difference isn't all that noticible. Hopefully people will
be able to use the forthcoming suffering as an incentive to get this
done right next time.

So, the final automatic run of the testing scripts was today, and will
be reflected in the next mirror pulse. From this point, we'll have
manually approved security updates to some packages, and very little
else, until release. Requests from the maintainer to remove packages
that are unreleasable may be considered. Requests from the maintainter
for an update to a package will generally be considered a request to
remove the package.

aj (woody release manager)

[0] Issuing an advisory and fixed .debs for the six architectures that
    released with Debian 2.2 (potato) already takes, essentially, an
    entire night with the current tools; doing likewise for the eleven
    architectures that will release with woody will take more time than
    the security team are able to commit; doing it with woody's eleven
    architectures _and_ potato's six architectures for a few months
    so that people have time to evaluate woody before being forced to
    upgrade to it is completely out of the question.

Anthony Towns <ajt@debian.org>

Attachment: pgpw5ltfHECg0.pgp
Description: PGP signature

Reply to: