On Wed, 2011-05-18 at 10:44 -0700, Adam Williamson wrote:
On Wed, 2011-05-18 at 13:37 -0400, Adam Jackson wrote:
On 5/18/11 1:22 PM, Kevin Kofler wrote:
Adam Williamson wrote:
# There must be no known remote code execution vulnerability which could be exploited during installation or during use of a live image shipped with the release
This is just completely and utterly moot considering that there are going to be many more unknown vulnerabilities than known ones, and that several of those are inevitably going to come up during the 6-month lifetime of a release.
The difference between a known and an unknown security bug is that, if _you_ know about it, it's virtually certain that someone malicious already does too.
We can't avoid unknown risk exposure. You're arguing for ignoring known risk exposure entirely. Seems a touch irresponsible.
Also: twelve month.
Well, I think his point is that it's almost certain that some 'unknown' exposures will become 'known' during the life cycle of a release, at which point the live images we release three months previously are vulnerable to a known security exploit and there's exactly nothing we can do about it - so worrying about the ones we _can_ fix at release time becomes less important, when viewed from that perspective. It's a good point.
Is it unthinkable to respin the images with those fixes ? Usually the patches are quite simple to backport, and we are talking about a limited set of bugs (remote root exploit on install) after all.
Simo.