The new Update Acceptance Criteria are broken

Bruno Wolff III bruno at wolff.to
Sun Nov 14 14:03:35 UTC 2010


On Sun, Nov 14, 2010 at 13:59:24 +0100,
  Till Maas <opensource at till.name> wrote:
> 
> If there are no security updates, people can not apply them. So what is
> worse? If people stop applying updates, then it is at least their
> decision. If there are no updates, people can only choose not to use

Many people are going to just pull updates. They aren't going to make a
decision on their own.

Security updates aren't all created equal. While the case that was
referenced in this was easily remotely exploitable, not all security
issues expose a system to that level of risk.
 
> The optimal case is to provide well tested security updates fast, but
> this is not what Fedora achieves. In my example there is no indication
> that the update was especially tested, because it did not get any karma.
> And it was not provided fast.

There is definitely a problem that needs fixing. But I don't think changing
the goal to untested security updates provided quickly is the preferred
solution.

Perhaps we should have a way to draw attention to high priority updates.
Generally we need more testers and need to make them more efficient.
(Test plans for packages can make testing more efficient and accurate.)


More information about the devel mailing list