The new Update Acceptance Criteria are broken
Adam Williamson
awilliam at redhat.com
Fri Nov 12 19:19:22 UTC 2010
On Fri, 2010-11-12 at 20:03 +0100, Till Maas wrote:
> On Mon, Nov 01, 2010 at 10:09:17AM -0700, Adam Williamson wrote:
>
> > I disagree. The evidence you cite does not support this conclusion. We
> > implemented the policies for three releases. There are significant
> > problems with one release. This does not justify the conclusion that the
> > policies should be entirely repealed.
>
> It was brought to my attention that also current Fedora releases have
> problems with delaying important security updates. A fix for a remote
> code execution vulnerability in proftpd was only pushed to stable with a
> seven day delay:
> https://admin.fedoraproject.org/updates/proftpd-1.3.3c-1.fc13
> https://admin.fedoraproject.org/updates/proftpd-1.3.3c-1.fc14
>
> And it is not a theoretical threat, I know that servers in the nearby
> area have been exploited because of this vulnerability. Delaying such
> updates seems to be a very bad idea. Even in the unlikely case that the
> update was broken and made proftpd not start anymore, this is usually
> not as bad as having the system corrupted by an evil attacker.
Thanks for flagging this up.
I'm wondering if perhaps we should devise a system - maybe a sub-group
of proventesters - to ensure timely testing of security updates. wdyt?
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the devel
mailing list