The new Update Acceptance Criteria are broken

Simo Sorce ssorce at
Fri Nov 12 20:13:45 UTC 2010

On Fri, 12 Nov 2010 12:02:03 -0800
Adam Williamson <awilliam at> wrote:

> On Fri, 2010-11-12 at 14:54 -0500, Simo Sorce wrote:
> > Adam why should security updates wait at all ?
> > Do you fear some packager will flag as security updates that are
> > not ? Surely we can deal with such maintainer if that happens...
> I don't have a hugely strong opinion either way, but the stated reason
> by those who do is that security updates can be broken just like any
> other. We don't have a magic 'infallible' switch on packagers which we
> toggle only when they're building a security update. :)

Oh sure I don't doubt that. But in this case we need to deal with the
lesser evil.
Is it more important to close a security bug with a (small) risk of
breaking a package ?
Or is it more important to (try to) test it and leave our users exposed
for a long time to a security threat ?

If we are not comfortable with treating all security issues the same we
can have a flag that skips testing only for "remote exploit" type of
security issues. That will reduce the number of exception to the most
dangerous cases.

What do you think ?


Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list