On Sun, Mar 31, 2024 at 6:50 AM Kevin Kofler via devel devel@lists.fedoraproject.org wrote:
Kevin Fenzi wrote:
Branched enables updates-testing... so if you installed f40 anytime, you will have it enabled and if you then applied updates it would be in them
Yet another thing I always said was a bad idea, and this incident proves it. This would have been filtered before reaching most people if we made people only test what actually ends up in the composed Beta and Final images, i.e., updates that made it out to stable. In addition, having updates-testing enabled makes it unsafe to upgrade a Beta installation to Final because suddenly updates-testing gets disabled, but people still have packages from updates-testing (such as the backdoored xz, but also tons of untested packages or ones that explicitly failed testing) installed.
Well, an easy solution is to make it so "dnf update" is coerced to "dnf distro-sync" for development releases. Then it doesn't matter. We could make that happen for Fedora 41 with the DNF 5 transition (there's already code to make this possible with PackageKit with the current DNF backend, it needs to be migrated into DNF 5).
Disabling updates-testing is a bad plan, because we want updates more aggressively tested during the development cycle.