Updates policy (draft)

Pre Beta
This is the time between the branch from rawhide and the Beta release of the new branched OS. During this time we are attempting to stabilize the major versions of software that will be shipped with the final release of the OS. Major updates can be tolerated, but breaking things for early testers should be avoided if possible. Additionally, as we get close to Alpha or Beta releases any change that breaks composes of Live media, install media or testing should be avoided. Packages for Features should be landing and getting major testing.

repos available: base updates-testing

During this time Maintainers MUST (enforced by bodhi):


 * Push all updates first to updates-testing.
 * All critical path updates MUST get one +1 karma from a  proventester before being moved to stable.
 * All non critical path updates MUST either reach the prescribed karma level for that update, OR spend at least 3 days in updates-testing before being allowed to move to stable.

and Maintainers SHOULD (not enforced):


 * Avoid ABI/API changes where possible. If unavoidable, should coordinate a side tag to rebuild packages in or a mass build/update. ( file a rel-eng ticket at https://fedorahosted.org/rel-eng/newticket)

Beta to Pre Release
This is the time between the Beta release and the final release as stable of the branched OS. The branched OS should now be stabilized and prepared for release. Major changes should be avoided during this period.

repos available: base updates-testing

During this time maintainers MUST:


 * Avoid Major version updates, ABI breakage or API changes if at all possible.
 * Push updates first to updates-testing.
 * All critical path updates MUST have a sum of +2 karma, one of which must be from a  proventester.
 * All non critical path updates MUST either reach the prescribed karma level for that update, OR spend at least 7 days in updates-testing before being allowed to go to stable.

Pre release
During this time the release is being composed and all non blocker changes should be avoided. In pre release period are non-blocker packages queued for so called zero day updates. These packages will be available in updates repository after whole distribution is released.

repos available: base updates updates-testing


 * All updates pulled into the release MUST fix a blocker.
 * Push updates first to updates-testing.
 * All critical path updates MUST have a sum of +2 karma one of which must be from a  proventester.
 * All non critical path updates MUST either reach the prescribed karma level for that update, OR spend at least 7 days in updates-testing before being allowed in stable.
 * Once, updates repo is available, stable updates will go there instead of to the base OS repo.

= Stable Releases =

Philosophy
Releases of the Fedora distribution are like releases of the individual packages that compose it. A major version number reflects a more-or-less stable set of features and functionality. As a result, we should avoid major updates of packages within a stable release. Updates should aim to fix bugs, and not introduce features, particularly when those features would materially affect the user or developer experience. The update rate for any given release should drop off over time, approaching zero near release end-of-life; since updates are primarily bugfixes, fewer and fewer should be needed over time.

This necessarily means that stable releases will not closely track the very latest upstream code for all packages. We have rawhide for that.

Rebases should be carefully considered with respect to their dependencies. A rebase that required (or provided) a new Python ABI, for example, would almost certainly not be allowed. ABI changes in general are very strongly discouraged, they force larger update sets on users and they make life difficult for third-party packagers. Additionally, updates that convert resources or configuration one way (ie, from older->newer) should be approached with extreme caution as there would be much less chance of backing out an update that did these things.

Whenever possible packagers should work with upstream to come up with stable branch releases or common patches for older releases, particularly when rebasing would require large dependency chain updates.

repos available: base updates updates-testing

Updates to 'critical path' packages
Updates that constitute a part of the 'critical path' package set (defined below) including security updates must follow the rules as defined for critical path packages for pending releases, meaning:


 * At the time of the request to stable, the update needs to have a Bodhi karma sum of 2 AND
 * One of these positive karma points needs to be from a Proventester

For the purposes of this policy, the 'critical path' package set is defined as the following:


 * The current critical path package set
 * All major desktop environments' core functionality (GNOME, KDE, Xfce, LXDE)
 * Package updating frameworks
 * Major desktop productivity apps. An initial list would be, (konqueror), , ,  (kmail).

Changes to this definition would be done by FESCo or their delegate.

All other updates
All other updates must either:


 * reach the criteria laid out in the previous section OR
 * reach the positive Bodhi karma threshold specified by the updates submitter OR
 * spend some minimum amount of time in updates-testing, currently one week

Package maintainers MUST:


 * Avoid Major version updates, ABI breakage or API changes if at all possible.
 * Avoid changing the user experience if at all possible.
 * Avoid updates that are trivial or don't affect any Fedora users.

Package maintainers SHOULD:
 * Push only major bug fixes and security fixes to release(n-1).

Exceptions
Some classes of software will not fit in these guidelines. If your package does not fit in one of the classes below, but you think it should be allowed to update more rapidly, propose a new exception class to FESCO and/or request an exception for your specific update case. Note that you should open this dialog _BEFORE_ you build or push updates. The following things would be considered in a exception request.

Things that would make it more likely to grant a request:


 * The package is a "leaf" node. Nothing depends on it or requires it.
 * The update fixes a security issue that would affect a large number of users.
 * The update doesn't change ABI/API and nothing needs to be rebuilt against the new version.
 * The update fixes serious bugs that many fedora users are encountering.

Things that would make it less likely to grant a request:


 * The update converts databases or resources one way to a new format.
 * The update requires admin intervention for the service to keep working (config file format changes, etc)
 * The update causes behavior changes (something that was denied is allowed, etc)
 * The update changes the UI the end user sees (moves menus or buttons around, changes option names on command line)
 * The update fixes bugs that no fedora user has reported nor would affect many fedora users (ie, fixes for other platforms or configurations).

Security fixes
If upstream does not provide security fixes for a particular release, and if backporting the fix would be impractical, then a package may be rebased onto a version that upstream supports. The definition of practicality is left to the judgement of FESCO and the packager.

Interoperability
If a package primarily serves to interoperate with hardware or network protocols, and the interface changes, then a package may be rebased if necessary. This includes network games, IM protocols, hardware music players, cell phones, etc. These packages may also be updated to add support for new devices or formats in compatible ways.

Examples of this type of package:, , ,

Database packages
Packages like virus scanners and spam filters typically have two components: a rules engine and a database. The database is expected to update frequently (sometimes not through the normal OS update mechanisms), but the rules engine is usually fairly static. However, if the maintained database changes to require a new version of the rules engine, then the package may be a candidate for rebasing.

Examples of this type of package: ,

Examples

 * Mozilla releases Firefox 4.0.1 with a security fix. Fedora 12 is shipping with 3.0.7, and though the bug is also present there, the fix in 4.0.1 does not apply because that part of the browser has been completely rewritten.  Rebasing to 4.0.1 would be allowed since this is a security fix.


 * automake releases a new version that changes some warning conditions to errors. This would break the build process for existing packages, and would not be allowed.


 * AOL changes their instant messenger protocol in a way that requires an update to libpurple. The only upstream version of libpurple that supports the new protocol is an ABI break relative to the version in the current Fedora release.  Rebasing would be allowed since this is an interoperability requirement.


 * Abiword releases a new version that adds compatibility with WordStar 4.0 documents. It also completely updates the user interface to use pie menus.  This would be a feature enhancement with a major user experience change, and would not be allowed.


 * WebKit requires an update to solve a security problem. This requires updating Midori to a version with some minor menu layout changes.  This would be a judgement call based on how intrusive the changes are (removing the File menu would be rude, but moving the plugin configuration menu item would be acceptable).


 * Firefox releases an update that only contains changes for other platforms. This update could be pushed to rawhide (just to keep up with the latest version), but should not be pushed to stable releases, as it does no good to our users and wastes resources to build, update, mirror and download to our users.


 * Terminal fails to build from source when tested in a mass rebuild. An updated package should be pushed to rawhide. Fixes for stable releases should be tested and even commited, but unless there is a problem with the previous existing build in the stable release, no update should be issued. This update would not change any user facing functions of the package.


 * KDE upstream releases a new major version, and at the same time stops supporting the older release that is in Fedora N and Fedora N-1. This release includes a large number of bugfixes, mixed with enhancements and security fixes. An exception for this type of update would need to consider: ability to backport major fixes/security issues, type and amount of bugs fixed, ability to not update other parts of fedora for this update (ie, avoid qt or other base library ABI changes), amount of testing and end user visible changes. An exception like this would be on a case by case bases based on all the above.

= Problems or issues with Updates =

In an effort to learn from any mistakes made, in the event of a update causing a widespread or serious problem for Fedora users, please file a FESCo trac ticket. FESCo will discuss and try and work to prevent the issue from happening again. A past record of such issues can be found at Updates Lessons.

FESCo will work with QA and others to prevent or mitigate the issue.

= AutoQA =

Note that once AutoQA is ready, it will be enabled whenever possible. This guide will be modified to add AutoQA in when it's ready.

AutoQA Acceptance tests for all updates
All updates, including security updates, must pass acceptance criteria before being pushed.

The list of tests will be:
 * Packages must not break dependencies
 * Packages must not break upgrade path
 * Packages must not introduce new file/package conflicts
 * Packages must be able to install cleanly

Additional tests will be set by FESCo with input from QA.