Security release criterion proposal
Eugene Teo
eugene at redhat.com
Thu May 19 02:00:19 UTC 2011
> # There must be no known remote code execution vulnerability which could
> be exploited during installation or during use of a live image shipped
> with the release
>
> Points to consider:
>
> * Possible variants to the type of vulnerability covered...do we also
> want to make local privesc vulns blocking? Conversely, do we want to
> make only remote *root* execution vulns blocking? I don't know if anyone
> would want to go as far as making DoS vulns release blocking, but speak
> up if you would! (Of course there is again the local/remote distinction
> to consider there: 'all DoS vulns' would be a much tighter standard than
> 'remote DoS vulns').
I say, local privilege escalations with publicly available exploits, and
remotely triggerable vulnerabilities. If such an issue is known before
Final, we should attempt to address it before releasing.
Eugene
More information about the security
mailing list