Re: Changes: GNOME 3.35/3.36 release schedule

[mcatanzaro gnome org]

On Thu, Sep 12, 2019 at 8:22 AM, Bastien Nocera <hadess hadess net> 
wrote:
> This is very important for the maintainers of libraries that live in
> the GNOME runtime. Do we have a full list of those? What happens if
> there are security issues that crop up in the meanwhile?

Security issues that crop up in the meanwhile will be fixed in the next 
runtime update, *if* the issue is in a tarball that's updated by our 
release scripts and the module is flagged for such updates. All GNOME 
stuff should be included, as should freedesktop stuff that uploads 
tarballs outside GitLab. GitLab/GitHub-hosted tarballs require manual 
updates and thus are not updated.

Keep in mind there is no GNOME security team. Or, to the extent that 
there is a GNOME security team, it's myself and Tobi spending five 
minutes per vulnerability to ensure project maintainers know they're on 
their own. :P And there is currently no human watching for security 
issues or handling security advisories anyway. That's why I'm still not 
entirely comfortable with Epiphany returning to Flathub at this time.

So, status quo is not good. But this will still be better than we've 
ever had before, because until now we've had no scheduled runtime 
rebuilds at all after the .2 stable release.

Of course, you can always manually propose updates to specific packages 
in gnome-build-meta whenever you want. That's what I do for WebKit 
updates, for example. The schedule only shows when release-team will 
get around to doing it for you. So if you have a particular issue that 
you think shouldn't wait until the next scheduled update, go ahead and 
propose a merge request to gnome-build-meta.

Michael