[Fedora-packaging] critical path security update policy

Mario Torre neugens.limasoftware at gmail.com
Mon Apr 20 09:03:44 UTC 2015 

2015-04-19 19:25 GMT+02:00 Michael Schwendt <mschwendt at gmail.com>:
> On Sun, 19 Apr 2015 00:07:48 +0200, Jerry Bratton wrote:
>
>> Then the policy that I suggest revising is the one which precludes automatically pushing at the +2 threshold.
>>
>
> There is no "one size fits all" with regard to security updates.
>
> Even if it were not a version upgrade, but only a small patch on top of a
> previously released version of the software, it's a new build that can
> break in lots of funny and not so funny ways. Sometimes software builds
> break because dependencies, tool-chains, frameworks have changed since the
> last released build.

Hmm,

Security has precedence over even backward compatibility.

The maintainers should be ultimately responsible to ensure that the
package they maintain is in a coherent state and in theory just
backporting the security patches. I know that is is often easier said
than done, but the general rule is security first.

>> Even requiring the lower threshold might arguably be too much. In any case, under the current system, users of Fedora 20 have been vulnerable already for 15 days.
>>
>
> Which, IMHO, is not true, because this update is available in the
> updates-testing repository. What is wrong with fetching it from there?
> Especially since you think it's good enough to be unleashed.

General users can't really be asked to enable by default a testing
repository, and you really need to know if an update is a security
update, rather than a general update.

> Users of Fedora really need to understand that they are consumers of
> test updates in more cases than they may be aware of. All those Test Updates,
> which are pushed into the stable updates repo manually (i.e. with 0 karma
> and no explicit feedback from any testers, not even the packager) may have
> seen no testing at all.

This is a problem that needs to be addressed, and I don't think it can
be addressed by pushing over the users the burden.

I agree Fedora is a community effort, but it's the wrong take to
require that anybody that uses Fedora *must* contribute to it, or the
penalty is to receive wrong updates or an vulnerable system.

Cheers,
Mario


-- 
pgp key: http://subkeys.pgp.net/ PGP Key ID: 80F240CF
Fingerprint: BA39 9666 94EC 8B73 27FA  FC7C 4086 63E3 80F2 40CF

Java Champion - Blog: http://neugens.wordpress.com - Twitter: @neugens
Proud GNU Classpath developer: http://www.classpath.org/
OpenJDK: http://openjdk.java.net/projects/caciocavallo/

Please, support open standards:
http://endsoftpatents.org/

More information about the packaging mailing list