critical path security update policy
Chris Murphy
lists at colorremedies.com
Sat Apr 18 22:53:21 UTC 2015
On Sat, Apr 18, 2015 at 12:35 PM, Jerry Bratton <JerryLBratton at mail.com> wrote:
> I'm concerned about how long it takes security updates to make it to users
> under Fedora's current policies (which generally allow such updates the
> possibility of sitting in testing for 14 days, or even longer).
>
> Just one example is the Firefox 37.0.1 update for Fedora 20:
> https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1.fc20
>
> The currently available version of Firefox in Fedora 20 has a critical
> vulnerability which allows a man-in-the-middle attacker to impersonate any
> HTTPS website. In this context, shouldn't security concerns win out over the
> worry that there might be some regression? We already know there's a serious
> problem in the current package, so why do we have to wait 14 days just
> because there might be some problem in the new package?
>
> Shouldn't this policy be revised?
I thought a packager already has the ability to push something to
stable without any delay? It's just not the default. Is that
incorrect?
I think in the case of an upstream like FireFox where we can pretty
much be assured that they've escalated a critical security update
before any other pending updates, that it's completely reasonable for
the packager to take advantage of any policy that lets them bypass
updates-testing.
--
Chris Murphy
More information about the security-team
mailing list