[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: On cadence and collaboration

On Wed, Aug 05, 2009 at 03:48:06PM +0100, Mark Shuttleworth wrote:
> >>  If upstream knows, for example, that MANY distributions will be
> >>  shipping a particular version of their code and supporting it for
> >>  several years (in fact, if they can sit down with those distributions
> >>  and make suggestions as to which version would be best!) then they
> >>  are more likely to be able to justify doing point releases with
> >>  security fixes for that version... which in turn makes it easier for
> >>  the security teams and maintainers in the distribution.
> >>     
> >
> > In practice, most upstreams adopt a "you're using a version that's two
> > weeks old, go update to our current development snapshot and see
> > yourself whether the bug is still there" attitude.
> >   
> That's true. To upstream there is "tip" (which all real developers run,
> right? ;-)) and then there's "the cloud of released versions which
> distributions are still shipping". It's hard to get their attention
> about the particular version that any one distribution is shipping, but
> I think it's reasonable to believe it would be easier to get their
> attention about a version that *many* distributions adopted.

Additionally, even if upstream isn't willing to provide any help to
distros shipping what they consider to be a "stale" version, the distros
are in a better position to help each other if they're shipping similar
versions.  We see this sort of cooperation _all the time_ in the
security community via the vendor-sec mailing list.  Patches for a given
problem may be proposed by a representative from one distro, reviewed by
members of several others, finally used by even more.  This may all
happen with or without help from upstream.  Either way, it's easier for
everybody involved if people are using similar versions.  I suspect we'd
see a lot more help from upstream developers if they knew they only had
to come up with a fix for a given problem once, rather than for several
different versions.  We benefit either way, though.


Attachment: signature.asc
Description: Digital signature

Reply to: