LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Distributions

Mageia bootstraps its package update policy

June 22, 2011

This article was contributed by Nathan Willis

Mageia, the community-driven fork of Mandriva Linux, has made its initial release, just eight months after the project's inception. It is a major accomplishment, but the development team has already turned its attention to the next pressing challenge: how to set up and manage package updates, including how to handle security fixes, how to integrate backports and missing packages, and how to bootstrap a QA process.

The release of Mageia 1 marks a turning point for the distribution, because end users are now encouraged to install and use it on a daily basis — and up until now, most of those users were still running Mandriva, which continued to receive regular package updates.

A user switching to Mageia is likely to encounter several distinct package update scenarios: security updates to close specific vulnerabilities, incremental bugfix updates, and new packages that for one reason or another were not ready for inclusion with the initial release of Mageia 1. Each scenario has its peculiarities, although for simplicity's sake, it is in the project's interest to provide as uniform a testing and update process as possible.

Mageia's effort to hash out an update process is not simply a start-up problem. Many on the team were unhappy with Mandriva's process over the years. As Michael Scherer explained:

Security and stable updates were quite disconnected from maintainers, and so it didn't scale well. It didn't scale because people didn't know security procedure (it was not part of the expected curriculum of a packager, and often was done without them implied), it didn't scale because security was only for a restricted set of [salaried employees] taking care of everything on separate systems.

The Mageia team, therefore, has set goals for its own process to be more streamlined, more scalable, and to take security vulnerabilities more seriously. Many of the core team members are former Mandriva contributors (and quite a few were Mandriva employees), so the process includes their opportunity to learn directly from Mandriva's mistakes.

Thus far, Mageia has not pushed out any updated packages to the updates repository, although a June 19 message indicates that the first package updates have at least reached testing. Meanwhile, the outstanding list of "missing package" backport requests, which includes security updates made by Mandriva, stands at over a dozen. So, since the release of Mageia 1, security updates have languished along with other updates, though it appears that will be changing soon.

Updates (security and otherwise)

The discussion over how to structure the update process began on the mageia-dev mailing list in early June. As is the case for Mandriva, Mageia plans to run separate RPM repositories for main releases and package updates, plus testing repositories for use by developers and packagers. The draft update policy draws the distinction between the "updates" repository (which is to be used to provide bug-fix or security-fix updates to existing packages), and the "backports" repository (which is to be used to provide new releases of packages).

Nevertheless, there are a handful of exceptions. First, new versions of packages that require an update in order to work with a remote online service are allowed in the updates repository (the examples include networked games and virus scanners). Second, new versions of applications are permitted when the old version is no longer supported by the upstream project itself (a rule that primarily encompasses applications with a short lifecycle like the Chromium and Firefox web browsers).

The update release process follows the same broad plan as used by many other distributions: anyone can file a bug against a package; once the bug is triaged and assigned, the package maintainer can apply the relevant patches and rebuild the package. The maintainer is then responsible for submitting the new build to the updates_testing repository and re-assigning the bug to the QA team. The QA team tests the package to ensure that it fixes the bug, that it both installs and successfully updates the previous version of the package, and (in the case of security fixes) that it closes the security vulnerability.

A few obstacles remain to implementing this process. The first is that, as a new distribution, very few packages have official maintainers. Mageia may assign bugs to package committers as an initial step, but the understanding is that maintainership of a package is a voluntary task. The second obstacle is setting up QA communication channels, to ensure that QA team members do not accidentally step on each other's toes. Whether that takes the form of a read-only mailing list or a web announcement mechanism has yet to be determined.

The third obstacle is that while the QA team is significant in size (and growing), the security team is still much smaller, and less formalized. Conventional wisdom states that the security team has the time-consuming task of monitoring security vulnerability lists and databases, as well as the difficult job of assessing that a rebuilt package fixes the security vulnerability, as opposed to simply verifying a specific "normal" bug fix.

That is not to diminish the amount of work that goes into the QA process. Mageia, like Mandriva before it, prides itself on providing well-tested packages that both integrate with free software applications and play well with third-party (potentially proprietary) offerings. It supports both the GNOME and KDE desktop environments when many distributions choose either one or the other, and is available for both 32-bit and 64-bit architectures.

Backports and support

That desire to offer well-tested packages comes to the forefront in the project's discussion over how to handle "missing packages" and backports. The root of the issue is that Mageia 1 lacks several packages that were available in previous Mandriva releases. Due to personnel constraints, it simply isn't possible to package and test every application and library — so the project did its best with the Mageia 1 release, and is attempting to craft a policy for providing the missing pieces to users between now and the release of Mageia 2.

A case could be made that missing packages are essentially no different than other bugs, and if a package can be tested and added to the repository, it should go in the updates repository. The alternate viewpoint is that updates is by definition reserved for fixes to existing packages, and that the backports repository exists for the specific purpose of allowing users early access to packages slated for the next release — early access at their own risk.

But Mageia 1 is a special circumstance; many of the missing packages have long existed for Mandriva users, and in some cases are even stable and "expected" in a standard distribution (examples from the mailing list include passwd-gen and dd_rescue). Forcing users in need of those packages to enable an unstable repository like backports (which could inadvertently update other packages to new, un-QA-validated versions) puts them at an unacceptable risk. Yet treating backports as a fully-supported repository just to enable the addition of missing packages has its own risks, namely far more work for the QA and security teams.

Scherer argued that if the root cause of the trouble was that backports has historically been synonymous with "bug-filled," then fixing the backports process was the solution. Others suggested that the real pain-point was the notion that backports is "unsupported" — a term casually tossed around in many distributions, but rarely if ever defined. After all, in most cases, a user reporting a problem with a backports package still receives help fixing it from the community. Complicating the issue further is that Mandriva's package management tool RPMDrake allowed users to access specific packages from Mandriva's backports repository, but without enabling the repository as a whole — a behavior that carries its own set of QA and security trade-offs.

Samuel Verschelde suggested a plan of attack for bugs filed against backports, that differentiates them from bugs in updates by establishing a "maintainer first, then upstream" process that relieves the regular QA team from the burden of integrating the fixes. Christiaan Welvaart recommended a way to tie bugs in the backports repository more closely in with the existing QA process by providing better step-by-step guidance to bug reporters.

Eventually, the team came to a consensus around a plan that makes a special exception for the transitional period between Mageia 1 and the release of Mageia 2. During the transition period, missing packages can be added to the updates repository provided that they follow the same QA process as every other update, and that there is a bug report filed formally requesting the package. After Mageia 2 is released, that process will be closed, and missing packages should go through the backports repository, or simply wait for the next release cycle.

Of course, Mageia is also in the process of working out the details of its release cycle, so the proposed backports plan has its small share of uncertainty. At the moment, the distribution has a bleeding-edge distribution named "Cauldron" that operates as a rolling release, but stable end-user releases are tentatively planned to follow the six-month cycle established by Mandriva.

Bubble bubble, hopefully with minimal toil and trouble

Bootstrapping a Linux distribution is always a tremendous amount of work, even for teams like Mageia's, with its healthy number of ex-Mandriva engineers and community contributors. But as many old Linux veterans will tell you, getting the first release out the door is not nearly as taxing as setting up a smooth development, testing, and release process that is sustainable over a multi-year period. Even established distributions struggle with QA and package testing issues from time to time.

The Mageia backports discussion touched on an intriguing issue: what precisely it means when an open source project declares something "supported" or "unsupported." It appears as if that thread has fallen by the wayside, and the team has moved on to the more practical issues of fleshing out the backports process and handling the corner-case of assisting Mandriva users as they transition to the first ever Mageia release. But perhaps Mageia's unusual position as a brand-new distribution staffed by team members that moved over collectively from Mandriva gives it a unique chance to address the supported/unsupported question. It has already allowed them to produce a full-featured distribution in well under a year's time.

Comments (4 posted)

Brief items

Distribution quotes of the week

I would like to thank the people at SouthEast LinuxFest for allowing me to speak about "How to Train Your Users". It was a last minute addition to replace my talk on "How to Fork Fedora for Fun and Profit" since I ran out of Fun and Profit in getting that ready. I would also like to thank the people who sat through my presentation. It was the first one I have given in years and really need to work on it. I do apologize for not bringing a true User Attention Reset Tool, but after being told by several people that many staff were packing ... bringing a knife to a gun fight was ill-advised :).
-- Stephen Smoogen

So with my work done with the Fedora Board, I have decided to spend more time on things I can fix (technical things) versus those I can not (human interactions). One of those things, was to use more of the Rawhide release because if I can earn LWN.net weekly quotes of the week, I should endure the pain that Jonathan Corbet goes through every day. Hopefully it will also get F16 to be better.
-- Stephen Smoogen

Go for a walk, come back and reboot the system the old fashioned way. System reboots into plymouth and stops halfway through the building the icon. Oook gets out hammer.. and boots system into rescue mode again.
-- Stephen Smoogen (still trying to get rawhide running)

So there you have it, if there's a reason for ditching MeeGo, it's certainly not a technical one, and most likely not a good one either. I hope the people out there like what we did with the Nokia N9 and ask the though question "Why exactly did you leave MeeGo, again?", specially when there are no signs of any Windows Phone device.
-- Felipe Contreras

Comments (6 posted)

AV Linux 5.0 Released

AV Linux is live media distribution aimed at multimedia creation. From the 5.0 release announcement: "This release balances the rock-solid reliability of Debian's stable 'Squeeze' release and fortifies it with some carefully selected Sid and Custom packages to make it a state-of-the-art Multimedia Content Creation Powerhouse. This release will usher in a less frequent annual release cycle and shift the focus from Linux Audio/Video software testing to reliable Linux Audio/Video PRODUCTION. If you are someone who'd rather create content than experiment with alpha/beta software then this release is for you."

Full Story (comments: none)

openSUSE releases milestone 2

The openSUSE project has announced the release of openSUSE 12.1 milestone 2 (of 6). "openSUSE is developed in a repository called Factory. Packages flow from the devel projects into Factory upon OK from the release team following the Factory Development Model. During the development cycle (more detailed model) periodic releases are made available for testing - these are the milestones. Six of them become available. After some several freezes go into effect, the component freeze just before the fourth milestone for instance. And about a couple of weeks after the last milestone the first of two Release Candidates is made ready for testing. The final openSUSE 12.1 release is expected on November 11th."

Comments (none posted)

Scientific Linux 5.6

Scientific Linux has announced the release of SL 5.6. "Scientific Linux release 5.6 is based on the rebuilding of RPMS out of SRPMS's from Enterprise 5 Server and Client. It also has all errata and bugfixes up until May 13, 2011." See the release notes for details.

Comments (none posted)

USU Linux and Jeoss Linux

Two distributions were added to the list this week.

USU Linux hails from Bulgaria. It's Ubuntu based and comes in three editions. The mini edition is suitable for home or business use, the desktop edition has a strong focus on educational uses, and the netbook edition is specially created for little mini portable computers. (Thanks to Tsvetomir Parvanov)

Jeoss Linux is a compact install-everywhere Ubuntu based server oriented distribution. It is directly-installable even on legacy, limited resource, and embedded x86 platforms. (Thanks to Patrick Masotta)

Comments (none posted)

Distribution News

Debian GNU/Linux

Planet Debian Derivatives

Paul Wise announces the creation of Planet Debian Derivatives. "For those of you who are interested in the activities of distributions derived from Debian, it aggregates the blogs and planets of all the distributions represented in the derivatives census. The list of feeds will be expanded semi-automatically as more distributions participate in the census and maintainers of census pages add new blog and planet URLs. Many thanks to Joerg Jaspert for doing the necessary setup procedures for the addition of the new sub-planet to Planet Debian. I'm glad that it was accepted alongside the sole language-based sub-planet (Planet Debian Spanish)."

Comments (none posted)

New round of Debian IRC Training Sessions

The Debian project has announced the forthcoming start of a new round of IRC Training Sessions, which will be held on IRC by experienced community members. "Future sessions will be held on a regular basis, and will deal with various aspects of the Debian organization and different teams."

Full Story (comments: none)

Gentoo Linux

Voting for the Gentoo Council 2011-2012 Election begins

The 2011-2012 Gentoo Council election is underway. Voting began June 20 and closes July 4, 2011.

Full Story (comments: none)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

Tiny Core Linux 3.7 brings "multi-Core" ISOs (The H)

The H reports on the release of Tiny Core Linux 3.7. New features include a 2.6.33.3 kernel with support for reading and writing NTFS partitions, font updates, control panel updates, and a "multi-core" ISO image that contains the Tiny Core, Micro Core, and the Network Tools editions in just 45M. "Tiny Core is a minimal Linux distribution that weighs in at just over 10 MB in size. The "tiny frugal" desktop distribution features the BusyBox tool collection and a minimal graphics system based on Tiny X and JWM. The core can run entirely in RAM, allowing for a very fast boot. With the help of online repositories, Tiny Core Linux can be expanded to include additional applications."

Comments (none posted)

Page editor: Rebecca Sobol
Next page: Development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds