On Fri, 2012-10-26 at 12:44 -0700, Adam Williamson wrote:
I think with the feedback we've seen so far that we can say the
original
proposal was substantially too broad, so how about this as a revised
proposal - for now, we just add a single Final release criterion which
reads:
"The release must contain no known security issues of 'important' or
higher impact according to the Red Hat severity classification scale
which cannot be satisfactorily resolved by a package update (e.g. issues
during installation)"
? How does that sound to everyone? It drops the issue entirely for Alpha
and Beta, and means we only consider bad issues that cannot be fixed
with an update for Final.
Hmm, actually, let's change 'issues' to 'bugs' there, I think that
makes
it clearer that we're talking about things that have actually been
accepted as bugs - it avoids any suggestion we'd be wading into the
debate about what actually constitutes a security issue, as Johann was
concerned about. So:
"The release must contain no known security bugs of 'important' or
higher impact according to the Red Hat severity classification scale
which cannot be satisfactorily resolved by a package update (e.g. issues
during installation)"
with the understanding that QA would never use this to wade into
something like the sshd question and declare that it was a Bug That Must
Be Fixed. It applies only to things that are clearly agreed to be actual
bugs.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net