I'm concerned about how long it takes security updates to make it to users under Fedora's current policies (which generally allow such updates the possibility of sitting in testing for 14 days, or even longer).

 

Just one example is the Firefox 37.0.1 update for Fedora 20:

https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1.fc20

 

The currently available version of Firefox in Fedora 20 has a critical vulnerability which allows a man-in-the-middle attacker to impersonate any HTTPS website. In this context, shouldn't security concerns win out over the worry that there might be some regression? We already know there's a serious problem in the current package, so why do we have to wait 14 days just because there might be some problem in the new package?

 

Shouldn't this policy be revised?

 

Jerry