On Sat, Mar 30, 2024 at 11:12:02PM +0100, Sandro wrote:
From what I understood, F40 Beta, the official Beta release, available from the website as of March 26, has updates-testing disabled by default. That
Nope.
was confirmed by several people in #devel yesterday when the Fedora Magazine article was still being worked on.
I am pretty sure I said the opposite...
nirik: Branched enables updates-testing... so if you installed f40 anytime, you will have it enabled and if you then applied updates it would be in them nirik: yes, we disable updates-testing by default right before release.
I guess that could have been read as right before beta release, but thats not the case or what I meant. ;)
It's before _Final_ release that we disable updates-testing. It's enabled by default from when we branch the release off until the time right before release when we switch it (usually with a freeze break/blocker bug)
It's the RC composes that are made after branching and before Beta is declared GO, that have updates-testing enabled by default. I was one of the persons raising that point. I'm less certain wrt upgrades in the period between branching and Beta release.
I think the confusion here is "Beta Release" vs "Final release".
We enable updates-testing at branching time all the way until right before "Final release". :)
If that is incorrect and Beta shipped with updates-testing enabled, deliberately or by accident, then I stand corrected.
Yes, it did/does. :)
The logic is that most people who install betas or pre-releases want to help test updates. If for some reason they don't, they can disable it, but the default option is on.
It is obviously still an issue that is evolving and what seems clear now might prove different later. But so far I tend to leave the discussion topic as it is and ensure that F40 users expect being compromised and get informed to act correspondingly with the suggested actions. However, I already added a point how users can check if they have a malicious build.
I agree. Once the levees broke, news was traveling fast and, for some, panic may have set in, not helping in determining what information is accurate.
Advise to err on the side of caution, check your system and upgrade if unsure, is certainly what I would tell anyone. Even distros (Arch, Gentoo) where it turned out the payload wasn't injected, acted out of an abundance of caution, put out advisories and updates for their users.
What's written on Discussion looks to be covering the broad spectrum. Maybe the Fedora Magazine article could link to that post for further clarification.
Yeah, still lots to know about this...
kevin