-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Mon, Jul 15, 2013 at 09:35:02PM -0400, Matthew Miller wrote:
Hi security team. I'm working on
https://fedoraproject.org/wiki/Changes/VisibleCloud
which proposes promoting the Fedora Cloud image on basically equal footing
with the desktop download. Daniel Berrange gave the useful feedback that
while installation-based distribution allows one to install updates at build
time, image-based distribution means that the image must be booted to apply
updates, giving a window of insecurity. (Unless careful measures are taken.)
Yeah, I can see this as being a concern. The risk will more than likely be a small due to
the window of time involved but it's always a good to ship the fixes when they exist.
When there was a security issue with the previous Fedora image, we
did do a
fire-drill with an adhoc respin and pushed new images. Dan suggests that we
develop (in coordination with the qa and release engineering teams) a
security policy for updates to the cloud image.
Each CVE receives a CVSSv2 score in BZ. This *could* be used as a way to determine which
vulnerability patches should go into your spin. Of course this may end up with more
updates that needed being that you might be patching software that would necessarily run
at boot time or be vulnerable immediately. It's a place to start, IMO, though.
- -- Eric
- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project - Red Hat
sparks(a)redhat.com - sparks(a)fedoraproject.org
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQGcBAEBCgAGBQJR5L8rAAoJEB/kgVGp2CYvV88L/3cKIdH3sqFU7tvsvlYJxd8P
Cf+wOJTiFkf5ZPUH43/3Gx8fOVqv4+vuhj56AsMB+DnQVCjbKuwP16ilLTve/gAh
uJOKAV+doPB7FgFmoLscDVxig8QbSH/rCCQ7M2hG2EPjhEmZNoVlRcdmQEa9GkYG
s3NKLUmJnnBzInZBDRVQ7a3KJz7fTiJAggKXkjAsPxFgnMhqe+3WIgooucd5EstO
VVqYcXN2MgUJmmlsqWN7Q6k0uVnL/MasL3mbT4hrA5ZV/hvowEEBGp7tGpR4Pizo
k+FUSXqMCmZgZh9Qxaem0BiiVQmcxesZW3QS4RXWRMrc/26GnmtJjF6Rg12KhMjg
6UfSh+SP4oE9t6ItI18pRHE+2WamfddFT+pyCo24O6yeXnH5bWyevy/d4GOyR8mK
yDxGSQTl/YAr/So9KYPsF3cu29Fep66oQ8mjYCgdkgTiz96D1mKiXPEBUHKFCcdi
sZFgRfRqgFO5Jf59t+sEa7pyb9YBf7e0Rv7/0TKrcQ==
=p2r+
-----END PGP SIGNATURE-----