[Fedora-packaging] critical path security update policy
Jerry Bratton
JerryLBratton at mail.com
Sun Apr 19 18:05:41 UTC 2015
>> Then the policy that I suggest revising is the one which precludes automatically pushing at the +2 threshold.
>There is no "one size fits all" with regard to security updates.
>
>Even if it were not a version upgrade, but only a small patch on top of a
>previously released version of the software, it's a new build that can
>break in lots of funny and not so funny ways. Sometimes software builds
>break because dependencies, tool-chains, frameworks have changed since the
>last released build.
What is the point in waiting for a manual push if the update has reached the +2 threshold?
>> Even requiring the lower threshold might arguably be too much. In any case, under the current system, users of >>Fedora 20 have been vulnerable already for 15 days.
>Which, IMHO, is not true, because this update is available in the
>updates-testing repository. What is wrong with fetching it from there?
>Especially since you think it's good enough to be unleashed.
The user would either have to have explicit knowledge of every security issue or would have to have the test updates repository enabled for that to be "not true". The fact of the matter is, under the default configuration, F20 users have been vulnerable for 16 days now. And counting....
More information about the packaging
mailing list