On 01/04/2024 16.32, Michael Catanzaro wrote:
On Sun, Mar 31 2024 at 06:52:53 PM +00:00:00, Christopher Klooz py0xc3@posteo.net wrote:
"Fedora Linux 40 branched users (i.e. pre-Beta) likely received the potentially vulnerable 5.6.0-2.fc40 build if the system updated between March 2nd and March 6th. Fedora Linux 40 Beta users only using stable repositories are NOT impacted. Fedora Linux 39 and 38 users are also NOT impacted."
-> only pre-beta, not beta, affected -> F40 beta using stable NOT impacted (without challenging the previously distributed assumption that testing is disabled by default)
That's still the same false information, isn't it?
It looks correct to me. The bug was fixed prior to the final release of F40 beta, so describing it as "pre-beta" makes sense. And people who used only the stable repos were indeed not affected. The article later clarifies that updates-testing is enabled by default (although it would be nicer to do this higher up rather than lower down the page).
Interesting. I thought the below note about "testing = enabled by default" was already mentioned before. I was only worried about the top section. The abstract decides if people keep reading, and with the previously spread information, I had doubt that the sentence motivates people to read further. So I assume the "stable repo not impacted" sentence suggests something false given the previously established context (default = stable, not testing).
Concerning your argument that the bug was fixed prior to the beta release, I answered on the Fedora Discussion topic [1] (to avoid duplication here) since I am not sure if I understand what you mean (and what it implies for the majority of users).
Btw, thanks for your elaborations and clarifications in the recent days ;)
[1] https://discussion.fedoraproject.org/t/xz-lessons-learned-if-how-to-involve-...