[Fedora-packaging] critical path security update policy
Michael Schwendt
mschwendt at gmail.com
Sun Apr 19 18:18:30 UTC 2015
On Sun, 19 Apr 2015 20:05:41 +0200, Jerry Bratton wrote:
> What is the point in waiting for a manual push if the update has reached the +2 threshold?
>
The update ticket has been set to need +3.
It could have been lowered to +2 by the update submitter, but whether and
when to do that depends on various factors.
> >Which, IMHO, is not true, because this update is available in the
> >updates-testing repository. What is wrong with fetching it from there?
> >Especially since you think it's good enough to be unleashed.
>
> The user would either have to have explicit knowledge of every security issue or would have to have the test updates repository enabled for that to be "not true". The fact of the matter is, under the default configuration, F20 users have been vulnerable for 16 days now. And counting....
>
No. This is not just about security issues. It is about all Test Updates.
Good ones, trivial ones, and the occasional brown paperbag. ;) Frankly,
I'm the wrong person in such a discussion. If nobody else takes a look at
updates-testing in 16 days, that's disappointing, isn't it? You will never
know what may appear in the "stable" updates repo. Once it's in there,
it's too late.
It's not even necessary to run with _full_ updates-testing enabled. Just
the occasional look at pending Test Updates can be enlightening. Focus on
what might be important to you. Notice the Firefox update, give it a try,
be happy if it works, give feedback (especially if there's an issue).
More information about the packaging
mailing list