On Mon, 2024-04-01 at 12:16 -0500, Michael Catanzaro wrote:
On Mon, Apr 1 2024 at 10:12:55 AM -07:00:00, Adam Williamson adamwill@fedoraproject.org wrote:
This is not really correct, or at least at all relevant. The bug wasn't in F40 Beta simply because the update never made it to 'stable'. Only 'stable' packages go into *composes*. However, saying that is not really useful because anyone who *installed* Beta and then updated it regularly may have got the vulnerable package. We should not say anything to give people the impression that if they installed Beta, they don't need to worry. That is not true or helpful.
Thing is, the bug was fixed before Fedora 40 Beta was released. If you installed the beta on or after the release date, you never got the builds with ifuncs enabled. This is why it's correct to say that only "pre-beta" builds were backdoored.
Oh, ISWYM. Well, I suppose yes, that does happen to be true. We could communicate that if it's done very carefully and made really clear that it's about the *time frame*, nothing to do with the repositories.