[HTTPS-Everywhere] What is a timely update window? (Was: https everywhere 2.2.1 released)

[Russell Golden]

I would *greatly* appreciate an answer to this question. Thank you.

---------- Forwarded message ----------
From: "Russell Golden" <niveusluna at niveusluna.org>
Date: Aug 23, 2012 8:23 AM
Subject: Re: [HTTPS-Everywhere] 2.2.1 stable released
To: "Peter Eckersley" <pde at eff.org>, "https-everywhere at mail1.eff.org" <
https-everywhere at mail1.eff.org>

On Aug 18, 2012 12:34 AM, "Peter Eckersley" <pde at eff.org> wrote:
>
> As the package maintainer, it's up to you.  There have been a couple of
times
> in the history of the project when we've had to push releases quickly to
deal
> with breakage, so I can't promise it'll never happen again.  If appManaged
> meant that Fedora/RHEL users wouldn't normally get HTTPS Everywhere
updates
> until they upgrade their OS, I'd say it was a bad idea because sites
> themselves break their HTTPS support and we push updates to fix that.
But if
> appManaged means that you'll wait a few days after most stable releases
before
> pushing them to RedHat users, that seems fine.

It means they will have to update the RPM to receive updates, yes, but only
if it doesn't already exist in their browser profile. If it does, then the
system-wide version gets ignored completely, even if the system version is
newer.

I absolutely plan to push updates to the repos within a few days of
upstream release, absolutely.

The problem is that it is up to the user/sysadmin to update the RPMs, and
some places have a stupid "what the heck are updates?" policy. They install
the RHEL version that the makers of some product say they support, and
never update it, ever. Makes me want to cry.

Now we come to the big question: what would you consider a timely update
window? Without positive karma, Fedora updates require a minimum of 7 days
in the testing repos before you can push them to stable. EPEL requires 14
days. I'm all for stability, but I think 14 days is a little ridiculous for
a browser extension. Especially one that can break as readily as HTTPS
Everywhere in ways beyond upstream's control. I do offer a side repo on
repos.fedorapeople.org for EPEL users that updates much faster, but I
imagine that some sysadmins would be reluctant to use it.

Please send me your feedback on this question. I want stability for the
package, but I don't want to leave users high and dry while the RPM sits in
-testing waiting on karma, either. I'm still pretty new to packaging stuff,
and I want all the feedback I can get.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20121005/335b86b1/attachment.html>