REVIEW/RFC: https://fedoraproject.org/wiki/User:Kevin/Updates_Policy_Draft
Kevin Fenzi
kevin at scrye.com
Wed Sep 22 18:35:44 UTC 2010
On Wed, 22 Sep 2010 12:12:54 -0500
Bruno Wolff III <bruno at wolff.to> wrote:
> On Wed, Sep 22, 2010 at 18:58:25 +0200,
> drago01 <drago01 at gmail.com> wrote:
> >
> > In case of a security issue a random note somewhere "don't do that"
> > is not acceptable ... that's all I am saying here.
> > You are leaving users at risk by assuming that they will read that
> > notice (note: most wont).
>
> I disagree. There are lots of degrees to security bugs. How they are
> handled depends on the cost of fixing the issue and the impact of the
> bug. These tradeoffs are made all of the time.
I agree with Bruno here.
Security updates are very important and should be given a pretty high
weight in general, but there are lots of further factors:
- Does the security issue not affect fedora in it's default
configuration?
- Is there a way to backport the fix to the current version instead of
taking a vastly changed upstream head package version?
- Can some minor/not very used part of the existing package be disabled
to prevent the security issue from being a problem?
Few things are black and white.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20100922/f52aac7e/attachment.bin
More information about the devel
mailing list