Security release criterion proposal
Adam Jackson
ajax at redhat.com
Wed May 18 20:59:28 UTC 2011
On 5/18/11 4:49 PM, Kevin Kofler wrote:
> The thing is, if we block the release for each and every known security
> issue, considering the time passing between notification and public
> availability of a fix, we will never be able to release anything. We have to
> draw the line somewhere, and the best way to do it is to use our time-based
> schedule.
False induction.
>> I'd rather not ship something that I _know_ will result in the user
>> getting rooted. This is so fundamental a tenet of quality that I have
>> difficulty even believing someone could disagree. I guess Kevin's brain
>> is simply something I should stop being surprised by.
>
> You don't KNOW that it will get the user rooted. Now if the hole is in a
> service listening to the Internet by default and is getting exploited by an
> automated worm, you can reasonably say that it WILL get the user rooted, but
> if it's e.g. a browser vulnerability, it will only hit the users if and when
> they access an infected or malicious site. Hopefully they'll have installed
> our 0-day security fix by then! (I'd hope sites like start.fedoraproject.org
> will not carry some trojan horse!)
Now you're drawing lines. Before you were saying "this is impossible,
we shouldn't try". Moving the goalposts.
I'm done arguing with you on this, it's clear you don't know how.
- ajax
More information about the devel
mailing list