On Mon, 2024-04-01 at 09:32 -0500, Michael Catanzaro wrote:
On Sun, Mar 31 2024 at 06:52:53 PM +00:00:00, Christopher Klooz py0xc3@posteo.net wrote:
"Fedora Linux 40 branched users (i.e. pre-Beta) likely received the potentially vulnerable 5.6.0-2.fc40 build if the system updated between March 2nd and March 6th. Fedora Linux 40 Beta users only using stable repositories are NOT impacted. Fedora Linux 39 and 38 users are also NOT impacted."
-> only pre-beta, not beta, affected -> F40 beta using stable NOT impacted (without challenging the previously distributed assumption that testing is disabled by default)
That's still the same false information, isn't it?
It looks correct to me. The bug was fixed prior to the final release of F40 beta,
This is not really correct, or at least at all relevant. The bug wasn't in F40 Beta simply because the update never made it to 'stable'. Only 'stable' packages go into *composes*. However, saying that is not really useful because anyone who *installed* Beta and then updated it regularly may have got the vulnerable package. We should not say anything to give people the impression that if they installed Beta, they don't need to worry. That is not true or helpful.
so describing it as "pre-beta" makes sense. And people who used only the stable repos were indeed not affected. The article later clarifies that updates-testing is enabled by default (although it would be nicer to do this higher up rather than lower down the page).
For the same reason I think it's dangerous and not useful to try and draw this distinction between notional "people who only use stable repos" and people who use testing. Who would actually install F40 but then manually turn updates-testing off? Very few people. I don't think we should talk about this because it just confuses the issue. It would be like saying a stable release security issue that appeared in a stable update didn't affect people who turned off the updates repo. Technically true, but people don't do that, why would we say it?
We should have a simple and clear message that covers the most common and important case: if you installed Fedora 40 and updated regularly during the vulnerable time frame, you very likely got the vulnerable package and should take appropriate action. We should not confuse this with unnecessary verbiage about stable and testing and pre-Beta and post-Beta.