2015-04-19 19:25 GMT+02:00 Michael Schwendt <mschwendt(a)gmail.com>:
On Sun, 19 Apr 2015 00:07:48 +0200, Jerry Bratton wrote:
> Then the policy that I suggest revising is the one which precludes automatically
pushing at the +2 threshold.
>
There is no "one size fits all" with regard to security updates.
Even if it were not a version upgrade, but only a small patch on top of a
previously released version of the software, it's a new build that can
break in lots of funny and not so funny ways. Sometimes software builds
break because dependencies, tool-chains, frameworks have changed since the
last released build.
Hmm,
Security has precedence over even backward compatibility.
The maintainers should be ultimately responsible to ensure that the
package they maintain is in a coherent state and in theory just
backporting the security patches. I know that is is often easier said
than done, but the general rule is security first.
> Even requiring the lower threshold might arguably be too much. In
any case, under the current system, users of Fedora 20 have been vulnerable already for 15
days.
>
Which, IMHO, is not true, because this update is available in the
updates-testing repository. What is wrong with fetching it from there?
Especially since you think it's good enough to be unleashed.
General users can't really be asked to enable by default a testing
repository, and you really need to know if an update is a security
update, rather than a general update.
Users of Fedora really need to understand that they are consumers of
test updates in more cases than they may be aware of. All those Test Updates,
which are pushed into the stable updates repo manually (i.e. with 0 karma
and no explicit feedback from any testers, not even the packager) may have
seen no testing at all.
This is a problem that needs to be addressed, and I don't think it can
be addressed by pushing over the users the burden.
I agree Fedora is a community effort, but it's the wrong take to
require that anybody that uses Fedora *must* contribute to it, or the
penalty is to receive wrong updates or an vulnerable system.
Cheers,
Mario
--
pgp key:
http://subkeys.pgp.net/ PGP Key ID: 80F240CF
Fingerprint: BA39 9666 94EC 8B73 27FA FC7C 4086 63E3 80F2 40CF
Java Champion - Blog:
http://neugens.wordpress.com - Twitter: @neugens
Proud GNU Classpath developer:
http://www.classpath.org/
OpenJDK:
http://openjdk.java.net/projects/caciocavallo/
Please, support open standards:
http://endsoftpatents.org/