On Wed, Sep 22, 2010 at 8:35 PM, Kevin Fenzi <kevin(a)scrye.com> wrote:
On Wed, 22 Sep 2010 12:12:54 -0500
Bruno Wolff III <bruno(a)wolff.to> wrote:
> On Wed, Sep 22, 2010 at 18:58:25 +0200,
> drago01 <drago01(a)gmail.com> wrote:
> >
> > In case of a security issue a random note somewhere "don't do
that"
> > is not acceptable ... that's all I am saying here.
> > You are leaving users at risk by assuming that they will read that
> > notice (note: most wont).
>
> I disagree. There are lots of degrees to security bugs. How they are
> handled depends on the cost of fixing the issue and the impact of the
> bug. These tradeoffs are made all of the time.
I agree with Bruno here.
Security updates are very important and should be given a pretty high
weight in general, but there are lots of further factors:
- Does the security issue not affect fedora in it's default
configuration?
- Is there a way to backport the fix to the current version instead of
taking a vastly changed upstream head package version?
- Can some minor/not very used part of the existing package be disabled
to prevent the security issue from being a problem?
Few things are black and white.
Might be true but a random notice on some website / mailinglist /
$whatever is NOT a fix. period.