-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Thu, May 22, 2014 at 11:26:07AM -0400, Matthew Miller wrote:
See <
https://fedorahosted.org/rel-eng/ticket/5886>. In short,
the time to do
an updates compose and push (plus sync times to mirrors) severely limits our
ability to put out critical updates quickly. Would anyone be interested in
filling out a plan for an alternate repository which would use a special
expedited process to make ultra-critical updates available more quickly?
I dislike the idea of a separate repo for ultra-critical updates. Once a fix is available
for a vulnerability it should, IMO, be shipped as soon as possible. I know this
doesn't fit into the Microsoft model or our model of community testing but really as
soon as you go public with a fix you've also just notified all the "bad
guys" out there to the vulnerability and exactly how to exploit it. It's a race
condition at that point.
I'd much prefer to have a mechanism in place that allows these fixes to be pushed to
the repos almost immediately (once they've been properly tested). I'm not exactly
sure how this can work but perhaps having QE tested patches packaged and ready for the
embargo time would meet Release Engineering's criteria for testing?
- -- Eric
- --------------------------------------------------
Eric "Sparks" Christensen
Red Hat, Inc - Product Security Team
sparks(a)redhat.com - sparks(a)fedoraproject.org
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJTf1THAAoJEB/kgVGp2CYveoQL/2bsR6TYYGYJcK15+8dVHKc0
OO5MZmrVunH7Uml72Qxo661wsdcgdjjfUC9W1bZHjKUQhSQJ7jPmCku5TJEvGMJk
cWAFJ6/uhUuhW2yih/STCRhXNcbnP/8VSFhGsQsmJhQyPA/3XZw3JDJUrq5p9ozX
QH3BuJjiXyplJolOjYQVsdjU0fuGFKKnnY6NK2FA4+RYpGWR8yvDEkn9vGINf7fs
EEkZ9A5zrPi/qkxGVXgUeLf9QvPztwmgetpIy02iWY7vxFnFcNIIuQIdhNAO88cN
g2Id/h1shWK+OqdtbSPD3fLGzAPLYziDPS3/GCGT0kWrKVRYvakH93Z5mGpmgA1x
ghRkap1FoqFcFZfLQD4gBhgtSAUZkM6RYgTxI+W7XWXcs5zDitonzUHJK+MCMlDp
bZIX8TCt/qIlIJEhcXaRu7BP6xw46WhOiMwmCXpPsxKcVUR3nqa2PABdC2TQ91rS
tr9Jf5K2oD1shfgTUMQTA0vqHR5H00b1J4eG6G3Yew==
=OYo7
-----END PGP SIGNATURE-----