On 5/18/11 1:22 PM, Kevin Kofler wrote:
Adam Williamson wrote:
# There must be no known remote code execution vulnerability which could be exploited during installation or during use of a live image shipped with the release
This is just completely and utterly moot considering that there are going to be many more unknown vulnerabilities than known ones, and that several of those are inevitably going to come up during the 6-month lifetime of a release.
The difference between a known and an unknown security bug is that, if _you_ know about it, it's virtually certain that someone malicious already does too.
We can't avoid unknown risk exposure. You're arguing for ignoring known risk exposure entirely. Seems a touch irresponsible.
Also: twelve month.
- ajax