On Fri, May 23, 2014 at 10:01:46AM -0400, Eric H. Christensen wrote:
I dislike the idea of a separate repo for ultra-critical updates.
Once a
fix is available for a vulnerability it should, IMO, be shipped as soon as
possible. I know this doesn't fit into the Microsoft model or our model of
community testing but really as soon as you go public with a fix you've
also just notified all the "bad guys" out there to the vulnerability and
exactly how to exploit it. It's a race condition at that point.
I'm not sure I follow here. What do you dislike? This isn't meant to be a
hidden repo -- it's the "ship as soon as possible!" repo, so it sounds like
you're agreeing.
I'd much prefer to have a mechanism in place that allows these
fixes to be
pushed to the repos almost immediately (once they've been properly
tested). I'm not exactly sure how this can work but perhaps having QE
tested patches packaged and ready for the embargo time would meet Release
Engineering's criteria for testing?
Right, exactly -- that's the mechanism I'm looking for.
--
Matthew Miller -- Fedora Project -- <mattdm(a)fedoraproject.org>
"Tepid change for the somewhat better!"