Does Arch get "pre-release" notifications for well-known projects?

jonathon · 2016-09-19 20:21:36

And if not, should we? Is Arch "big" enough to get this sort of access?

Example: Ubuntu gets early access to Firefox and Thunderbird releases, see https://launchpad.net/~ubuntu-mozilla-s … ubuntu/ppa

Note that "build3" is a "final" build, not a beta. Mozilla have not publicly released the source for 49 via their FTP as of writing.

[edit: change title]

Last edited by jonathon (2016-09-20 10:25:10)

Awebb · 2016-09-19 21:13:41

1. We should rather ask, why a "pre-release" exists in the first place. If it's for testing purposes, then access to those sources would only make sense, if firefox was a package that tends to linger in [testing] for a while.

2. "We" would not be able to release the sources to the public. ABS works by fetching a tarball with a PKGBUILD and other files from an Arch server, then makepkg is being used to fetch the sources from the PKGBUILD and build the package. If there suddenly is a firefox package in the repos but not in ABS, then people would probably climb up walls faster than you can count to potato, because a) they can't rebuild it, b) they can't verify the build and c) it would smell like a can of haxx au jus from two weeks ago.

3. Explain the benefits.

Last edited by Awebb (2016-09-19 21:16:10)

jonathon · 2016-09-19 22:29:07

1. To ensure packages are built and available for general availability on official release, especially for those releases addressing CVEs.
2. The Ubuntu package source is available. See the linked PPA for the .orig.tar.bz2 (this won't build with existing Arch patches but I didn't spend much time on it).
3. Immediate availability of new package on official release, especially when there is/are CVEs.

TheChickenMan · 2016-09-19 23:30:23

If these are open source projects then shouldn't these sources always be available to everyone? I thought half the point was not to be having some kind of limited availability "special sauce" stuff going on behind the scenes. If Ubuntu gets it then everyone should be having the same access when they want; individuals and distributions large and small.

jonathon · 2016-09-20 00:14:11

Yes, source code is available as normal for open-source projects. I suppose in the case of Firefox watching https://hg.mozilla.org/releases/mozilla-release/ would be a way forward.

I suppose what I'm really asking is whether there is communication between upstream and the security team, for example, or whether someone (or somefew, or somemany) are actively watching for new sources ahead of official release announcements. For example, given Ubuntu have had FF49 building for a week I was hoping Arch was also building somewhere I wasn't aware of ([testing] is at 48.0.2).

Trilby · 2016-09-20 00:17:59

https://aur.archlinux.org/packages/?O=0 … _Search=Go

It's also been available here for one week.

jonathon · 2016-09-20 00:29:57

Oh. So Ubuntu are building the RCs. Tsk. That's prosaic. I suppose that means the final RC (build4) is 'release' so those packages will be moved over.

Allan · 2016-09-20 03:57:44

Short answer is that happens in some cases.

R00KIE · 2016-09-20 09:45:50

Making release candidate versions available to users would be against Arch's principles https://wiki.archlinux.org/index.php/Ar … #Modernity

There are cases where packages are built from git, but those are the exceptions and only because the latest stable release has some problem that warrants building a package from git.

Regarding security, important security updates do seem to hit the repos very quickly, at least my feeling is that I usually see important updates hit the repos before the security issues become mainstream technology/software news. I don't know how and what the security team is doing behind the scenes but to me it seems they are doing a good job already.

jonathon · 2016-09-20 10:24:18

Allan wrote:

Short answer is that happens in some cases.

Excellent.

R00KIE wrote:

Making release candidate versions available to users would be against Arch's principles https://wiki.archlinux.org/index.php/Ar … #Modernity

That makes sense, and wasn't quite what I was suggesting. It was more a case of finding out why (for example) I can get hold of a "pre-release" Firefox from (an) Ubuntu (team PPA) but not Arch. The answer is it's not a "pre-release", it's an RC, but the Ubuntu team will be building each RC to ensure they can backport the build to each supported distro. This means that by the time the final RC becomes the final release, they have a working package ready to be made available from $distro-security.

There was also the aspect of checking whether Arch was getting security-related pre-release notifications, which it looks like they do, so great!

Trilby · 2016-09-20 12:00:48

I'm not really sure what this thread is actually about. Ubuntu PPAs are not comparable to our repos - neither main repos nor testing. PPAs are comparable to the AUR. Case in point:

https://help.ubuntu.com/community/PPA wrote:

PPAs can be used to extend the available software in ubuntu to both programs that are not otherwise available in ubuntu, as well as to allow newer versions, such as beta programs, that have not yet undergone sufficient testing to be imported into the main archive.

This is also precisely one of the functions of the AUR.

Ubuntu PPAs for firefox 49 look to have been made available on the same day that firefox-beta in the AUR was at version 49.

So, to answer the title question: no, arch doesn't get "pre-release" notifications for well-known projects. Neither does Ubuntu. I'm not sure where you got the idea that Ubuntu does. If it was from an official channel then they are putting os much marketing spin on the facts to just be completely wrong.

jonathon · 2016-09-20 12:31:40

Trilby wrote:

I'm not really sure what this thread is actually about.

Then feel free to close it. Allan already answered my question.

Ubuntu PPAs are not comparable to our repos - neither main repos nor testing. PPAs are comparable to the AUR.

Almost. PPAs are effectively private build environments, running on Launchpad. While anyone can run a PPA, they are also used by the various Ubuntu teams for testing, backporting, and pre-release building. Launchpad runs Ubuntu's build system. The packages built in the various staging PPAs will either be copied across to or re-uploaded to the release pockets.

AUR packages are built locally so are dependent on local package and library versions. PPAs build packages in pbuilder chroots so use the standard toolchains for the targeted release.

Case in point:
https://help.ubuntu.com/community/PPA wrote:
PPAs can be used to extend the available software in ubuntu to both programs that are not otherwise available in ubuntu, as well as to allow newer versions, such as beta programs, that have not yet undergone sufficient testing to be imported into the main archive.
This is also precisely one of the functions of the AUR.

OK. I'm not saying Arch should have a PPA-style system.

Ubuntu PPAs for firefox 49 look to have been made available on the same day that firefox-beta in the AUR was at version 49.

Not really relevant to my question unless the AUR package is maintained by the same people as the Arch package, but OK.

So, to answer the title question: no, arch doesn't get "pre-release" notifications for well-known projects. Neither does Ubuntu.

Really? No notifications to security teams? Pretty sure the Ubuntu security teams are in contact with various upstream projects. Ah well.

Last edited by jonathon (2016-09-20 12:32:12)

Trilby · 2016-09-20 13:16:23

jonathon wrote:

Really? No notifications to security teams? Pretty sure the Ubuntu security teams are in contact with various upstream projects. Ah well.

On what planet could what I said be misinterpreted to say Ubuntu and Arch are not in contact with upstream developers? Despite one my collegues vouching for you, this looks purely like trolling to me. So I will take you up on your invitation to close this thread.

Allan · 2016-09-20 14:20:48

jonathon wrote:

Really? No notifications to security teams? Pretty sure the Ubuntu security teams are in contact with various upstream projects. Ah well.

Just abusing my hidden powers on this board...

We get pre-notified about various security releases. All decent distros do.

Arch Linux

#1 2016-09-19 20:21:36

Does Arch get "pre-release" notifications for well-known projects?

#2 2016-09-19 21:13:41

Re: Does Arch get "pre-release" notifications for well-known projects?

#3 2016-09-19 22:29:07

Re: Does Arch get "pre-release" notifications for well-known projects?

#4 2016-09-19 23:30:23

Re: Does Arch get "pre-release" notifications for well-known projects?

#5 2016-09-20 00:14:11

Re: Does Arch get "pre-release" notifications for well-known projects?

#6 2016-09-20 00:17:59

Re: Does Arch get "pre-release" notifications for well-known projects?

#7 2016-09-20 00:29:57

Re: Does Arch get "pre-release" notifications for well-known projects?

#8 2016-09-20 03:57:44

Re: Does Arch get "pre-release" notifications for well-known projects?

#9 2016-09-20 09:45:50

Re: Does Arch get "pre-release" notifications for well-known projects?

#10 2016-09-20 10:24:18

Re: Does Arch get "pre-release" notifications for well-known projects?

#11 2016-09-20 12:00:48

Re: Does Arch get "pre-release" notifications for well-known projects?

#12 2016-09-20 12:31:40

Re: Does Arch get "pre-release" notifications for well-known projects?

#13 2016-09-20 13:16:23

Re: Does Arch get "pre-release" notifications for well-known projects?

#14 2016-09-20 14:20:48

Re: Does Arch get "pre-release" notifications for well-known projects?

Board footer