[Fedora-packaging] critical path security update policy

[Michael Schwendt]

On Mon, 20 Apr 2015 03:55:10 +0200, Jerry Bratton wrote:

> >The update ticket has been set to need +3.
> >
> >It could have been lowered to +2 by the update submitter, but whether and
> >when to do that depends on various factors.
> 
> Where did the +2 threshold come from?

https://fedoraproject.org/wiki/Updates_Policy#Updates_to_.27critical_path.27_packages

> Are you saying the submitter did not request it?
> 

+3 was requested.

> You stated it's "not true" that users of Fedora 20 have been vulnerable for 16 days. You apparently justify this claim by stating that they could have used the package from updates testing. In other words, your opinion is that every user of Fedora should be expected to check updates testing every day and manually apply security updates from updates testing, overriding the Fedora defaults, in order to get critical security updates in a timely fashion (i.e. not having to wait 16 days and counting). You consider this to be the most reasonable solution to the problem? I'm at a loss.
>

That's not exactly what I'm suggesting.

Not "every user of Fedora should be expected to check updates testing
every day". __More__ users of Fedora should be aware of how updates-testing
works, how to find and use the Fedora Updates System web site (bodhi), and
leave their pure-consumer role. Start testing _before_ something enters the
stable updates repo. Ensure that the features you need (or depend on more
strictly perhaps) will still work after applying the latest bunch of
"stable updates". It would make the community stronger. In this particular
case a single +1 vote from another user would have been enough and would
have triggered an automatic push to stable.

Yes, in my opinion it is a really bad joke, for example, if somebody with
interest in some software published by Fedora -- possible someone with a
strong interest even -- opens a problem report in bugzilla and complains
about an update after it had been in updates-testing for a month without
any feedback. I know that many users expect "the distributor" to do all
the work, but I don't think that is feasible for any of the popular
distributitions. And I think Fedora has made it easy for users to become
part of the community and find an area where they can contribute, even if
just by making sure that some single package still works after an update.

Back to the topic, I don't think hot-fixes are applicable in all cases,
not even with dedicated man-power. Hot-fixes would also exclude the community
and take away the chance to find bugs/regressions and block a faulty update
prior to entering the stable updates repo.