[Fedora-packaging] critical path security update policy

Jerry Bratton JerryLBratton at mail.com
Sat Apr 18 22:07:48 UTC 2015 

Then the policy that I suggest revising is the one which precludes automatically pushing at the +2 threshold.
 
Even requiring the lower threshold might arguably be too much. In any case, under the current system, users of Fedora 20 have been vulnerable already for 15 days.
 
The issue I am trying to bring attention to isn't specific to this one particular update. I have taken the proactive measure of disabling the configuration which makes Firefox 37.0 vulnerable on my own system, so I am not personally invested in the timely release of this particular update. Voting on this one particular update would not help to address the larger problem I'm seeing that many security updates take several days or even weeks to reach users. The issue is more pronounced in F20 than F21 or F22, presumably because there is more interest in testing the later releases, but the issue is there nonetheless. I believe that a discussion of the policies which are contributing to these delays is warranted.
 
Even if I were to vote on security updates that I noticed were taking a long time in testing, there's still the probability that there are many other security updates stuck in testing for a long time that I never know about, leaving my system vulnerable.
 
I prefer to think of my message as promoting discussion of a legitimate issue rather than "complaining".

I was not sure which list was the best to bring up this discussion, so I sent to packaging, security, and security team. It may be worth noting that only members of the packaging list have responded as of yet.

I apologize if my apparent error in sending an HTML-formatted e-mail (the default in my e-mail program) was inconvenient for list members. But does this discussion really need to be about all of my faults rather than the issue of the impact of delaying critical path security updates just because they might cause a regression?
 
 

Sent: Saturday, April 18, 2015 at 5:41 PM
From: "Michael Schwendt" <mschwendt at gmail.com>
To: packaging at lists.fedoraproject.org
Cc: "Jerry Bratton" <JerryLBratton at mail.com>
Subject: Re: [Fedora-packaging] critical path security update policy
On Sat, 18 Apr 2015 22:43:23 +0200, Jerry Bratton wrote:

> Since you have a clearer understanding of these things, would you care to take the time to explain why the update is still in testing and why the fact that it remains there is unrelated to any Fedora policy?
>

It has been entered with a karma threshold of +3, and the critical path
requirements are below that. With just +2 it doesn't get marked stable
automatically, but with +3.

You could have voted on it, too, instead of complaining here on the
wrong list and mailing HTML. ;-)

More information about the packaging mailing list