REVIEW/RFC: https://fedoraproject.org/wiki/User:Kevin/Updates_Policy_Draft
drago01
drago01 at gmail.com
Wed Sep 22 18:56:07 UTC 2010
On Wed, Sep 22, 2010 at 8:35 PM, Kevin Fenzi <kevin at scrye.com> wrote:
> On Wed, 22 Sep 2010 12:12:54 -0500
> Bruno Wolff III <bruno at wolff.to> wrote:
>
>> On Wed, Sep 22, 2010 at 18:58:25 +0200,
>> drago01 <drago01 at gmail.com> wrote:
>> >
>> > In case of a security issue a random note somewhere "don't do that"
>> > is not acceptable ... that's all I am saying here.
>> > You are leaving users at risk by assuming that they will read that
>> > notice (note: most wont).
>>
>> I disagree. There are lots of degrees to security bugs. How they are
>> handled depends on the cost of fixing the issue and the impact of the
>> bug. These tradeoffs are made all of the time.
>
> I agree with Bruno here.
>
> Security updates are very important and should be given a pretty high
> weight in general, but there are lots of further factors:
>
> - Does the security issue not affect fedora in it's default
> configuration?
> - Is there a way to backport the fix to the current version instead of
> taking a vastly changed upstream head package version?
> - Can some minor/not very used part of the existing package be disabled
> to prevent the security issue from being a problem?
>
> Few things are black and white.
Might be true but a random notice on some website / mailinglist /
$whatever is NOT a fix. period.
More information about the devel
mailing list