new f19/f20 images

Chuck Anderson cra at WPI.EDU
Thu Apr 17 13:02:49 UTC 2014 

On Thu, Apr 17, 2014 at 02:52:41PM +0200, drago01 wrote:
> On Thu, Apr 17, 2014 at 2:51 PM, Chuck Anderson <cra at wpi.edu> wrote:
> > On Wed, Apr 16, 2014 at 11:23:15PM +0200, drago01 wrote:
> >> On Wed, Apr 16, 2014 at 9:11 PM, Kevin Fenzi <kevin at scrye.com> wrote:
> >> > Greetings.
> >> >
> >> > We have new f19/f20 images with openssl updated, and they appear to be
> >> > default/live already.
> >> >
> >> > Were we waiting for some testing runs on them before announcing?
> >> > (Which we should have done before making them live, imho)
> >> >
> >> > Or did that already happen?
> >> >
> >> > Did we want to do a full test cycle on them?
> >> > Or just openssl related actions?
> >>
> >> Huh?
> >>
> >> Since when do we do something like this? Sounds like an over reaction to me.
> >> Installing (security) updates is the first thing you should do after
> >> installing anyway and besides who decided this and when?
> >> What are the criteria for doing updated images?
> >
> > Live images can't be updated...
> 
> 1) They can
> 2) Live images are not supposed be used for production ..

1) Sure if you have a persistent live image on a USB I suppose.  But
with CD/DVD media, you cannot update and then reboot as is necessary
to fix the issue.  You can manually restart all processes/services
that were linked against the old openssl I suppose, but you would have
to go through this dance after every single boot to remove this
vulnerability.

2) Live images could be used to rescue/repair a production
environment, or could be used as a client to access a production
environment.  For example one could be using "curl" which is linked
against the bad openssl.  We shouldn't leave our users exposed if they
decide to use a live image, especially since I don't think it is
documented anywhere that "these images are unsuitable for use in a
production environment".

Additionally, I believe we should somehow clearly mark all the new
images so that we can easily tell if they are the updated ones or not.
Maybe call them Fedora releases 19.1 and 20.1.

More information about the test mailing list