This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Glibc stable release process (Glibc 2.26.1)
- From: Florian Weimer <fweimer at redhat dot com>
- To: "Andreas K. Huettel" <dilfridge at gentoo dot org>, libc-alpha at sourceware dot org, siddhesh at sourceware dot org
- Cc: Zack Weinberg <zackw at panix dot com>, "Yann E. MORIN" <yann dot morin dot 1998 at free dot fr>, Tulio Magno Quites Machado Filho <tuliom at linux dot vnet dot ibm dot com>, Romain Naour <romain dot naour at gmail dot com>, Joseph Myers <joseph at codesourcery dot com>, "Gabriel F. T. Gomes" <gabriel at inconstante dot eti dot br>, Paul Eggert <eggert at cs dot ucla dot edu>, Arjan van de Ven <arjan at linux dot intel dot com>
- Date: Mon, 2 Oct 2017 21:22:12 +0200
- Subject: Re: Glibc stable release process (Glibc 2.26.1)
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=fweimer at redhat dot com
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 5446515565
- References: <60f78cac-9cf4-51b1-9ade-21cd09783d96@gmail.com> <CAKCAbMj3ByTofE=WsKV-SXOCWyJYStRKvP3DA9ttiW2hUNZffA@mail.gmail.com> <5c98c67b-52a9-dcff-eda7-0f16b8ab478d@sourceware.org> <2839686.ckfu0BZrXq@porto>
On 10/01/2017 09:59 PM, Andreas K. Huettel wrote:
To be honest, if I were a long-time glibc distro maintainer I'd probably agree
with you and prefer hand-picking. Starting from a tag / tarball is something I
prefer because I'm not that versed with things yet.
We continuously rebase Fedora on top of the upstream stable release
branch for that Fedora release (but we do not switch branches within a
release).
I doubt there is a clear preference, and each approach has its
advantages and disadvantages.
I still don't understand why you need tarballs for releases, though. or
put differently, the difference between glibc 2.26.5 and glibc 2.26-40
seems rather minor to me, and producing the tarballs is quite a bit of
work for us.
Regarding security backports, you really need to read and understand our
announcement of significant issues anyway. People keep rediscovering
semantically dependent patches in glibc 2.19 for the CVE-2015-7547 fix
because the posted patch applies without conflicts without them, and
this despite we clearly named those patches in the release announcement.
This is why I'm wary of pretending further that things are simple.
They are not.
Thanks,
Florian