User:Skvidal/punctuated-equilibrium

updates policy for patch 'tuesdays':

Principle:

Updates should occur at regular intervals by and large. Not everyday and not haphazardly. Security and critical bugfixes should be issued asynchronously, but feature updates, new pkgs and non-critical bugfixes should be issued once a month for the duration of the distros supported lifetime.

specific rules:


 * 1) security, critical and high-impact bug fixes can be issued asychronously. FULL STOP.
 * 2) if the above require changes/rebuilds to other pkgs then those others pkgs will be included in the async update provided that, if they are an update beyond a rebuild then they have passed a qa check
 * 3) all other updates can be included in the monthly update push provided:
 * 4) they have passed testing karma checks
 * 5) they have passed autoqa checks
 * 6) it is not a bugfix(not including rfes) and update falls within the critical path or critical path dependencies, then it cannot be included.
 * 7) any other requirement or exception that fesco decides on.

All of the above rules apply only within the rules of Stable Release Policy.

extenuating circumstances

if a pkg is being built for an async update and there is a pkg in the QA and tested updates queue for the next monthly update that it depends on then it will be built against that version and that dependency will be pushed async. If the pkg that is depends on is not QA and not tested but the new version is NOT required, then it will not be built against that version.

if the pkg that depends on is not QA and not tested but the new version is required, then the requirement will be built and pushed async.

In short a security/critical update == the pkg that has the issue and any/all REQUIRED versions of pkgs it depends on.

definitions:

critical-bug: loses/corrupts data, makes system inaccessible, makes system unable to receive updates,

high-user-impact-bug: bug which fundamentally impacts the use of a package/application in a critical-path or critical-path-dependencies

security: has a cve or security notice defined with it

bug: a bug in the software not covered by critical-bug definition NOT INCLUDING Requests For Enhancements (RFEs)

(related documents: )
 * https://fedoraproject.org/wiki/Desktop/Whiteboards/UpdateExperience
 * https://fedoraproject.org/wiki/User:Ajax/Stable_Release_Policy
 * https://fedoraproject.org/wiki/Updates_Lessons