On Fri, 12 Nov 2010 12:02:03 -0800
Adam Williamson <awilliam(a)redhat.com> wrote:
On Fri, 2010-11-12 at 14:54 -0500, Simo Sorce wrote:
> Adam why should security updates wait at all ?
> Do you fear some packager will flag as security updates that are
> not ? Surely we can deal with such maintainer if that happens...
I don't have a hugely strong opinion either way, but the stated reason
by those who do is that security updates can be broken just like any
other. We don't have a magic 'infallible' switch on packagers which we
toggle only when they're building a security update. :)
Oh sure I don't doubt that. But in this case we need to deal with the
Is it more important to close a security bug with a (small) risk of
breaking a package ?
Or is it more important to (try to) test it and leave our users exposed
for a long time to a security threat ?
If we are not comfortable with treating all security issues the same we
can have a flag that skips testing only for "remote exploit" type of
security issues. That will reduce the number of exception to the most
What do you think ?
Simo Sorce * Red Hat, Inc * New York