The new Update Acceptance Criteria are broken
Simo Sorce
ssorce at redhat.com
Fri Nov 12 20:13:45 UTC 2010
On Fri, 12 Nov 2010 12:02:03 -0800
Adam Williamson <awilliam at redhat.com> wrote:
> On Fri, 2010-11-12 at 14:54 -0500, Simo Sorce wrote:
>
> > Adam why should security updates wait at all ?
> > Do you fear some packager will flag as security updates that are
> > not ? Surely we can deal with such maintainer if that happens...
>
> I don't have a hugely strong opinion either way, but the stated reason
> by those who do is that security updates can be broken just like any
> other. We don't have a magic 'infallible' switch on packagers which we
> toggle only when they're building a security update. :)
Oh sure I don't doubt that. But in this case we need to deal with the
lesser evil.
Is it more important to close a security bug with a (small) risk of
breaking a package ?
Or is it more important to (try to) test it and leave our users exposed
for a long time to a security threat ?
If we are not comfortable with treating all security issues the same we
can have a flag that skips testing only for "remote exploit" type of
security issues. That will reduce the number of exception to the most
dangerous cases.
What do you think ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the devel
mailing list