On Sat, Apr 18, 2015 at 12:35 PM, Jerry Bratton JerryLBratton@mail.com wrote:
I'm concerned about how long it takes security updates to make it to users under Fedora's current policies (which generally allow such updates the possibility of sitting in testing for 14 days, or even longer).
Just one example is the Firefox 37.0.1 update for Fedora 20: https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1.fc...
The currently available version of Firefox in Fedora 20 has a critical vulnerability which allows a man-in-the-middle attacker to impersonate any HTTPS website. In this context, shouldn't security concerns win out over the worry that there might be some regression? We already know there's a serious problem in the current package, so why do we have to wait 14 days just because there might be some problem in the new package?
Shouldn't this policy be revised?
I thought a packager already has the ability to push something to stable without any delay? It's just not the default. Is that incorrect?
I think in the case of an upstream like FireFox where we can pretty much be assured that they've escalated a critical security update before any other pending updates, that it's completely reasonable for the packager to take advantage of any policy that lets them bypass updates-testing.
I'm concerned about how long it takes security updates to make it to users under Fedora's current policies (which generally allow such updates the possibility of sitting in testing for 14 days, or even longer).
Just one example is the Firefox 37.0.1 update for Fedora 20: https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1.fc...
The currently available version of Firefox in Fedora 20 has a critical vulnerability which allows a man-in-the-middle attacker to impersonate any HTTPS website. In this context, shouldn't security concerns win out over the worry that there might be some regression? We already know there's a serious problem in the current package, so why do we have to wait 14 days just because there might be some problem in the new package?
Shouldn't this policy be revised?
I thought a packager already has the ability to push something to stable without any delay? It's just not the default. Is that incorrect?
I think in the case of an upstream like FireFox where we can pretty much be assured that they've escalated a critical security update before any other pending updates, that it's completely reasonable for the packager to take advantage of any policy that lets them bypass updates-testing.
I don't know whether that's correct or not. If it is true, Stransky, could you take that approach in future instances?
In any case, this is not an issue specific to one particular update or one particular maintainer. Perhaps there should be a checkbox for "this is a security update ONLY" that would allow an update to bypass the updates testing repository?
----- Original Message -----
I'm concerned about how long it takes security updates to make it to users under Fedora's current policies (which generally allow such updates the possibility of sitting in testing for 14 days, or even longer).
It might be a problem sometimes and there's discussion ongoing how to push urgent and severe updates to users faster.
https://lists.fedoraproject.org/pipermail/test/2015-April/125890.html https://fedorahosted.org/rel-eng/ticket/5886
But as it was pointed out in this thread, it's not that easy task. Security issues are hard to solve - on one hand, you want it as soon as possible, on the other hand, it should not make the issue worst or break your system completely. So requires a lot of attention, testing etc. and we're still a small community (and you can see how even big vendors are struggling with security updates).
Jaroslav
-- packaging mailing list packaging@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/packaging
security-team@lists.fedoraproject.org