FESCo wants to ban direct stable pushes in Bodhi (urgent call for feedback)

[Adam Williamson]

On Wed, 2010-03-03 at 01:25 -0500, James Antill wrote:
> On Wed, 2010-03-03 at 01:34 +0100, Björn Persson wrote:
> > Adam Williamson wrote:
> > > you can try and cherry-pick security updates, but then you get the
> > > problem where initial release has Foobar 1.0, then Foobar 3.5 gets
> > > shipped in updates, then a security problem emerges and Foobar 3.5-2
> > > with the security fix gets shipped in updates. You now have a choice of
> > > unsecure Foobar 1.0, or completely new version Foobar 3.6.
> > 
> > There's also the other variant where a security problem is found in Foobar 1.0 
> > but the problem isn't present in Foobar 3.0 and later. Upstream still supports 
> > the 1.0 branch and releases Foobar 1.0.4 to fix the problem, but no security 
> > update is released for Fedora since there is no problem in the latest Fedora 
> > package. The Fedora user who chose not to upgrade Foobar won't even know that 
> > there is a security problem.
> 
>  This isn't a hard problem, 3.0 should then be marked as a security
> update. Sure it sucks that you have to go from 1.0.4 to 3.0, and
> presumably a lot will change, but that's Fedora.
>  On the other hand if "yum --security update" does not fix the known
> security problems on your system, that's a huge exploit waiting to
> happen ... and one I doubt any users know about.
>  I've sent a query to security@ to clarify.

I wasn't suggesting that's what happens in Fedora at present, just that
- given a single update stream in which it's perfectly fine for
'security' updates to build on 'feature' updates - it's impossible to
cherry pick only security updates. So even though Fedora categorizes
updates, you can't actually run Fedora and only take the minimal changes
that some people consider an appropriate update set.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net