The new Update Acceptance Criteria are broken
ssorce at redhat.com
Fri Nov 12 19:54:28 UTC 2010
On Fri, 12 Nov 2010 11:19:22 -0800
Adam Williamson <awilliam at redhat.com> wrote:
> On Fri, 2010-11-12 at 20:03 +0100, Till Maas wrote:
> > On Mon, Nov 01, 2010 at 10:09:17AM -0700, Adam Williamson wrote:
> > > I disagree. The evidence you cite does not support this
> > > conclusion. We implemented the policies for three releases. There
> > > are significant problems with one release. This does not justify
> > > the conclusion that the policies should be entirely repealed.
> > It was brought to my attention that also current Fedora releases
> > have problems with delaying important security updates. A fix for a
> > remote code execution vulnerability in proftpd was only pushed to
> > stable with a seven day delay:
> > https://admin.fedoraproject.org/updates/proftpd-1.3.3c-1.fc13
> > https://admin.fedoraproject.org/updates/proftpd-1.3.3c-1.fc14
> > And it is not a theoretical threat, I know that servers in the
> > nearby area have been exploited because of this vulnerability.
> > Delaying such updates seems to be a very bad idea. Even in the
> > unlikely case that the update was broken and made proftpd not start
> > anymore, this is usually not as bad as having the system corrupted
> > by an evil attacker.
> Thanks for flagging this up.
> I'm wondering if perhaps we should devise a system - maybe a sub-group
> of proventesters - to ensure timely testing of security updates. wdyt?
Adam why should security updates wait at all ?
Do you fear some packager will flag as security updates that are not ?
Surely we can deal with such maintainer if that happens...
Simo Sorce * Red Hat, Inc * New York
More information about the devel