critical path security update policy

[Jerry Bratton]

>> I'm concerned about how long it takes security updates to make it to users
>> under Fedora's current policies (which generally allow such updates the
>> possibility of sitting in testing for 14 days, or even longer).
>>
>> Just one example is the Firefox 37.0.1 update for Fedora 20:
>> https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1.fc20
>>
>> The currently available version of Firefox in Fedora 20 has a critical
>> vulnerability which allows a man-in-the-middle attacker to impersonate any
>> HTTPS website. In this context, shouldn't security concerns win out over the
>> worry that there might be some regression? We already know there's a serious
>> problem in the current package, so why do we have to wait 14 days just
>> because there might be some problem in the new package?
>>
>> Shouldn't this policy be revised?
>
>I thought a packager already has the ability to push something to
>stable without any delay? It's just not the default. Is that
>incorrect?
>
>I think in the case of an upstream like FireFox where we can pretty
>much be assured that they've escalated a critical security update
>before any other pending updates, that it's completely reasonable for
>the packager to take advantage of any policy that lets them bypass
>updates-testing.

I don't know whether that's correct or not. If it is true, Stransky, could you take that approach in future instances?

In any case, this is not an issue specific to one particular update or one particular maintainer. Perhaps there should be a checkbox for "this is a security update ONLY" that would allow an update to bypass the updates testing repository?