for background. We
reccently had a meeting with release engineering about actually
implementing this. See the notes in comment #33.
This resulted in several questions for the security team.
First: we agreed that we don't want just any update using this -- it
should be for updates that are both critical and urgent. (Remote root
ssh exploit, anyone? *knock on wood*) So, we think it makes sense for
updates to be selected for this process by the security team. The
question is: who should that be exactly, and how should that group be
defined. (An existing FAS group? A special new one? Something else?)
Second, a more technical matter. In order for an update to be treated
specially, it will need something special in Bodhi. One relatively easy
way is to have the security person (from question #1) submit the
update, instead of the packager. (Or, possibly, in *addition* to the
packager submitting the update for the regular repositories.) Since
this is something that hopefully will happen a couple of times a year
(or less!), is that workable? Or, would it be better for the packager
to submit the update as normal, but provide some button or checkbox
available to the security team to escalate the update to the urgent
Third, any other questions or concerns?
Fedora Project Leader