Are security updates provided by the core openSUSE team or the community?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Are security updates provided by the core openSUSE team or the community?

deoren
Hi,

I've been using openSUSE (specifically Tumbleweed) for a couple of months now and noticed that security updates for openSUSE seem to lag behind other popular distros (ex: Red Hat & CentOS, Debian & Ubuntu, Arch). Even so, it's not usually by too much, maybe just a day or so. My assumption has been that the openSUSE team just doesn't have the same resources available to it that the other distros have.

For example, with the MozillaFirefox package I noticed that the updated version (v38.0 or 38.0.1) is still not available via the standard repos as of the 20150516 snapshot. Is this an oversight, the conclusion that the security issues with v38.0 are minor, a lack of time or something else?

Thank you for your time.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Are security updates provided by the core openSUSE team or the community?

Robert Kaiser
Hi,

> For example, with the MozillaFirefox package I noticed that the updated
> version (v38.0 or 38.0.1) is still not available via the standard repos
> as of the 20150516 snapshot. Is this an oversight, the conclusion that
> the security issues with v38.0 are minor, a lack of time or something else?

I can't speak for the openSUSE packaging situation, but given that I'm
working for Mozilla and involved in the process of releases, I can tell
you that 38.0.1 is not a security update. In fact, I think there's
nothing really in that update that affects Linux, the main reason why we
created it was a startup crash on some Windows systems. So in this case,
there probably is not any good reason for openSUSE to even do a 38.0.1
update, other than because of the looks of the version number.

Cheers,
KaiRo
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Are security updates provided by the core openSUSE team or the community?

deoren
On 5/19/2015 10:07 AM, Robert Kaiser wrote:

> Hi,
>
>> For example, with the MozillaFirefox package I noticed that the updated
>> version (v38.0 or 38.0.1) is still not available via the standard repos
>> as of the 20150516 snapshot. Is this an oversight, the conclusion that
>> the security issues with v38.0 are minor, a lack of time or something else?
>
> I can't speak for the openSUSE packaging situation, but given that I'm working for Mozilla and involved in the process of releases, I can tell you that 38.0.1 is not a security update. In fact, I think there's nothing really in that update that affects Linux, the main reason why we created it was a startup crash on some Windows systems. So in this case, there probably is not any good reason for openSUSE to even do a 38.0.1 update, other than because of the looks of the version number.
>
> Cheers,
> KaiRo

Hi,

Thanks for the reply.

I mentioned 38.0.1 in the same breath as 38.0, which was mistake. I meant for the emphasis to be on v38.0 which I see listed as a security release. I meant to imply that providing v38.0 or 38.0.1 would would a current Mozilla Firefox package that has the latest security fixes.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Are security updates provided by the core openSUSE team or the community?

Dominique Leuenberger / DimStar
On Tue, 2015-05-19 at 11:54 -0500, deoren wrote:

> On 5/19/2015 10:07 AM, Robert Kaiser wrote:
> > Hi,
> >
> > > For example, with the MozillaFirefox package I noticed that the
> > > updated
> > > version (v38.0 or 38.0.1) is still not available via the
> > > standard repos
> > > as of the 20150516 snapshot. Is this an oversight, the
> > > conclusion that
> > > the security issues with v38.0 are minor, a lack of time or
> > > something else?
> >
> > I can't speak for the openSUSE packaging situation, but given that
> > I'm working for Mozilla and involved in the process of releases, I
> > can tell you that 38.0.1 is not a security update. In fact, I
> > think there's nothing really in that update that affects Linux,
> > the main reason why we created it was a startup crash on some
> > Windows systems. So in this case, there probably is not any good
> > reason for openSUSE to even do a 38.0.1 update, other than because
> > of the looks of the version number.
> >
> > Cheers,
> > KaiRo
>
> Hi,
>
> Thanks for the reply.
>
> I mentioned 38.0.1 in the same breath as 38.0, which was mistake. I
> meant for the emphasis to be on v38.0 which I see listed as a
> security release. I meant to imply that providing v38.0 or 38.0.1
> would would a current Mozilla Firefox package that has the latest
> security fixes.
>

I assume you're strictly talking Tumbleweed here (*). Security updates
are incoming 'as fast as possible', but the process around Tumbleweed,
including testing, can at times slow down substantially.

As an example: MozillaFirefox has been submitted to openSUSE:Factory
(the Tumbleweed integration/pre-test project) by
  Wolfgang on 2015-05-15T11:21:09.

Then it entered some staging project (currently Staging :F) and is
awaiting a full build including test media. Once the media is ready,
it is handed off to openQA to ensure the new media works (there is a
bit more in Staging:F than only Firefox, if we'd do one staging per
app it would take forever to get anything through).

so, yes, updates are prepared in time but the process can at times
slow it a bit down to get to the users. We try to take the security
relevance into account when handling stagings, and if something of
high criticality is stalled, we certainly will try to find a way
around this.

Hope that explains a bit where the delay is coming from

(*) for the regular maintained releases, the process is different of
course.

Best regards,
Dominique
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Are security updates provided by the core openSUSE team or the community?

deoren
On 5/19/2015 12:15 PM, Dominique Leuenberger / DimStar wrote:

> On Tue, 2015-05-19 at 11:54 -0500, deoren wrote:
>> Hi,
>>
>> Thanks for the reply.
>>
>> I mentioned 38.0.1 in the same breath as 38.0, which was mistake. I
>> meant for the emphasis to be on v38.0 which I see listed as a
>> security release. I meant to imply that providing v38.0 or 38.0.1
>> would would a current Mozilla Firefox package that has the latest
>> security fixes.
>>
>
> I assume you're strictly talking Tumbleweed here (*). Security updates
> are incoming 'as fast as possible', but the process around Tumbleweed,
> including testing, can at times slow down substantially.
>
> As an example: MozillaFirefox has been submitted to openSUSE:Factory
> (the Tumbleweed integration/pre-test project) by
>    Wolfgang on 2015-05-15T11:21:09.
>
> Then it entered some staging project (currently Staging :F) and is
> awaiting a full build including test media. Once the media is ready,
> it is handed off to openQA to ensure the new media works (there is a
> bit more in Staging:F than only Firefox, if we'd do one staging per
> app it would take forever to get anything through).
>
> so, yes, updates are prepared in time but the process can at times
> slow it a bit down to get to the users. We try to take the security
> relevance into account when handling stagings, and if something of
> high criticality is stalled, we certainly will try to find a way
> around this.
>
> Hope that explains a bit where the delay is coming from
>
> (*) for the regular maintained releases, the process is different of
> course.
>
> Best regards,
> Dominique
>

Thanks Dominique, I have a clearer understanding now.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Are security updates provided by the core openSUSE team or the community?

Johannes Segitz
In reply to this post by Dominique Leuenberger / DimStar
On Tue, May 19, 2015 at 06:15:13PM +0100, Dominique Leuenberger / DimStar wrote:
> I assume you're strictly talking Tumbleweed here (*). Security updates
> are incoming 'as fast as possible',

Same for openSUSE 13.[12]. We (the security team) depend on the maintainers
to submit a fixed package before we can prepare an update. For some
packages the maintainers react very fast, for others not so much. Then we
have a seven day delay when the updates get tested by some volunteers who
bravely install the updates as soon as they are available, which causes
additional delay.

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Dilip Upmanyu,
Graham Norton, HRB 21284 (AG N├╝rnberg)

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Are security updates provided by the core openSUSE team or the community?

Dmitriy Perlow
Johannes Segitz <[hidden email]>  Wed, 20 May 2015 17:14:16 +0300:

> On Tue, May 19, 2015 at 06:15:13PM +0100, Dominique Leuenberger /  
> DimStar wrote:
>> I assume you're strictly talking Tumbleweed here (*). Security updates
>> are incoming 'as fast as possible',
>
> Same for openSUSE 13.[12]. We (the security team) depend on the  
> maintainers
> to submit a fixed package before we can prepare an update. For some
> packages the maintainers react very fast, for others not so much. Then we
> have a seven day delay when the updates get tested by some volunteers who
> bravely install the updates as soon as they are available, which causes
> additional delay.
>
> Johannes

Hello!

Sound like ubuntu proposed, how could openSUSE 13.2 user enable this  
feature?

--
Best regards,
Dmitriy DA(P).DarkneSS Perlow @ Linux x64
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Are security updates provided by the core openSUSE team or the community?

Marcus Meissner
On Wed, May 20, 2015 at 06:42:49PM +0300, Dmitriy Perlow wrote:

> Johannes Segitz <[hidden email]>  Wed, 20 May 2015 17:14:16 +0300:
>
> >On Tue, May 19, 2015 at 06:15:13PM +0100, Dominique Leuenberger /
> >DimStar wrote:
> >>I assume you're strictly talking Tumbleweed here (*). Security updates
> >>are incoming 'as fast as possible',
> >
> >Same for openSUSE 13.[12]. We (the security team) depend on the
> >maintainers
> >to submit a fixed package before we can prepare an update. For some
> >packages the maintainers react very fast, for others not so much. Then we
> >have a seven day delay when the updates get tested by some volunteers who
> >bravely install the updates as soon as they are available, which causes
> >additional delay.
> >
> >Johannes
>
> Hello!
>
> Sound like ubuntu proposed, how could openSUSE 13.2 user enable this
> feature?

Subscribe to our test update channel and report problems :)

http://download.opensuse.org/update/13.2-test/

or for 13.1:

http://download.opensuse.org/update/13.1-test/

reporting by email to [hidden email] or bugzilla.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Are security updates provided by the core openSUSE team or the community?

Wolfgang Rosenauer-4
In reply to this post by Johannes Segitz
Am 20.05.2015 um 16:14 schrieb Johannes Segitz:

> On Tue, May 19, 2015 at 06:15:13PM +0100, Dominique Leuenberger / DimStar wrote:
>> I assume you're strictly talking Tumbleweed here (*). Security updates
>> are incoming 'as fast as possible',
>
> Same for openSUSE 13.[12]. We (the security team) depend on the maintainers
> to submit a fixed package before we can prepare an update. For some
> packages the maintainers react very fast, for others not so much. Then we
> have a seven day delay when the updates get tested by some volunteers who
> bravely install the updates as soon as they are available, which causes
> additional delay.
>
> Johannes

and as the example was Firefox I can comment as well ;-)
There was an initial question who is doing security updates. This
depends per package I'd say. For Firefox it's basically me and I'm a
volunteer and not employed by SUSE.
In almost all cases I'm providing the package updates in the mozilla
repository in the same hour (sometimes a bit earlier, sometimes a bit
later) as upstream releases them.

Now given the Mozilla communications and the "rules" for security
updates at this point in time I don't have the official CVE/MFSA
security data to put it into the changelog. This information is usually
seen crucial by the involved teams to be provided. The announcements are
usually later public as the actual update and therefore I
- need to wait for the annoucement
- convert it into the changelog format
- need to update the prepared package submissions
- upload the change
- (wait for a successful build)
- submit the update
(multiplied by 3 for Firefox, Thunderbird and xulrunner)

Now this submission was later than usual because of different reasons:
- bank holiday and my computer absence of a day ;-)
- 38.0.1 was created and I wanted to pick it up
- another fix required for Tumbleweed for gcc 5 was added last minute
which delayed the submission for another time

Now begins what Dominique has described for Tumbleweed and Johannes for
maintained distributions.

So you got the full picture now. I'm not actually sure how to speedup
the process while keeping the same level of testing.


Wolfgang
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]