On 1/4/07, Anne Wilson <cannewilson@xxxxxxxxxxxxx> wrote:
And there I want to chip in. One big bugbear is when things that were working get broken by updates. I think that one small change would be immensely helpful here. Either people don't do updates at all - in which case vulnerabilities mount - or they get the lot, and things occasionally get broken. Bear in mind that this class of user usually doesn't need the absolute latest and greatest - just a reasonably up-to-date version of his software. Surely it would be possible to make a simple way to take security fix updates only? That way you could automate the updates for normal use, and they could get other updates with the aid of someone more knowledgeable if necessary. Maybe the possibility already exists. If it is, then it needs publicising.
This is a good idea but I think it is largely the way updates already occur already within a particular version of Fedora ... but not entirely. There are rarely updates solely to introduce features. Oftentimes, rather than backporting a security patch included in a newer version, the newer version gets packaged by the maintainer and this drags along with it new features (and unfortunately new bugs). This is done for the sake of efficiency (aka laziness ;]) since backporting the security fixes to old versions represents a doubling of the work than just packaging the new version. I have found that most major snags that come up due to these new bugs are ironed out within a week or so. So all that would be needed is some mechanism to only apply updates that are at least a week old provided there are no newer version that replace them. The dilema is that your increase your risk of a security breach while at the same time decreasing your risk of a botched package update. So it is a tradeoff. Also, a problem would be that if everyone chose to delay this package installation, there would just be a week added to the bug discovery :] I see a version of this happening already. Often a maintainer will post to the list (probably the fedora-testing or fedora-devel list) that they are putting out an update in a testing repository a week in advance to air out any significant bugs. However, I suspect that the vast majority don't bother volunteering to be the guinea pig and those that would are already running test candidates of the future Fedora. /Mike
