On Sat, Apr 18, 2015 at 12:35 PM, Jerry Bratton <JerryLBratton(a)mail.com> wrote:
I'm concerned about how long it takes security updates to make it
to users
under Fedora's current policies (which generally allow such updates the
possibility of sitting in testing for 14 days, or even longer).
Just one example is the Firefox 37.0.1 update for Fedora 20:
https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1...
The currently available version of Firefox in Fedora 20 has a critical
vulnerability which allows a man-in-the-middle attacker to impersonate any
HTTPS website. In this context, shouldn't security concerns win out over the
worry that there might be some regression? We already know there's a serious
problem in the current package, so why do we have to wait 14 days just
because there might be some problem in the new package?
Shouldn't this policy be revised?
I thought a packager already has the ability to push something to
stable without any delay? It's just not the default. Is that
incorrect?
I think in the case of an upstream like FireFox where we can pretty
much be assured that they've escalated a critical security update
before any other pending updates, that it's completely reasonable for
the packager to take advantage of any policy that lets them bypass
updates-testing.
--
Chris Murphy