Re: [Xen-devel] Difference between patch in XSA and patch checked in

[George Dunlap <george.dunlap@xxxxxxxxxx>]

On 08/24/2017 11:20 AM, Jan Beulich wrote:
>>>> On 24.08.17 at 12:17, <george.dunlap@xxxxxxxxxx> wrote:
>> On 08/24/2017 08:29 AM, Jan Beulich wrote:
>>> It is largely the adding of
>>> CVE numbers and tags to the patch which has turned out easier to
>>> do in a private copy of the patches (so they're ready to be applied
>>> without having to wait for / pull updates to xsa.git, the more that
>>> in less simple cases - which iirc XSA-218 was an example of - the
>>> automatic propagation of tags into the patches at public disclosure
>>> time doesn't always work [reliably]).
>>
>> Is there a "timeliness" issue for checking patches into the tree?
> 
> Well, I've been striving to commit patches pretty quickly after
> advisories went public.

I understood that, but I didn't understand why.

I normally try to kick off CentOS builds of updated Xen packages at the
instant the embargo lifts, because 1) the CBS is public (and thus the
build can't start until the embargo lifts) and 2) the sooner the build
finishes, the sooner the users can test & reboot.

But for checking fixes into the public trees, I don't immediately see
why checking them in at UTC 12:01 is better than checking them in at UTC
1300 (or UTC 1700).  Nicer to have things out of the way, to be sure,
but not (as far as I can see at the moment) worth the extra effort and
risk of creating private patches to achieve.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel