FESCo wants to ban direct stable pushes in Bodhi (urgent call for feedback)
James Antill
james at fedoraproject.org
Wed Mar 3 06:25:57 UTC 2010
On Wed, 2010-03-03 at 01:34 +0100, Björn Persson wrote:
> Adam Williamson wrote:
> > you can try and cherry-pick security updates, but then you get the
> > problem where initial release has Foobar 1.0, then Foobar 3.5 gets
> > shipped in updates, then a security problem emerges and Foobar 3.5-2
> > with the security fix gets shipped in updates. You now have a choice of
> > unsecure Foobar 1.0, or completely new version Foobar 3.6.
>
> There's also the other variant where a security problem is found in Foobar 1.0
> but the problem isn't present in Foobar 3.0 and later. Upstream still supports
> the 1.0 branch and releases Foobar 1.0.4 to fix the problem, but no security
> update is released for Fedora since there is no problem in the latest Fedora
> package. The Fedora user who chose not to upgrade Foobar won't even know that
> there is a security problem.
This isn't a hard problem, 3.0 should then be marked as a security
update. Sure it sucks that you have to go from 1.0.4 to 3.0, and
presumably a lot will change, but that's Fedora.
On the other hand if "yum --security update" does not fix the known
security problems on your system, that's a huge exploit waiting to
happen ... and one I doubt any users know about.
I've sent a query to security@ to clarify.
--
James Antill - james at fedoraproject.org
http://yum.baseurl.org/wiki/releases
http://yum.baseurl.org/wiki/whatsnew/3.2.27
http://yum.baseurl.org/wiki/YumMultipleMachineCaching
More information about the devel
mailing list