Security release criterion proposal
Josh Bressers
bressers at redhat.com
Thu May 19 12:57:46 UTC 2011
----- Original Message -----
>
> I say, local privilege escalations with publicly available exploits, and
> remotely triggerable vulnerabilities. If such an issue is known before
> Final, we should attempt to address it before releasing.
>
I think it makes sense to address these prior to a release (on a case by
case basis), but I think we're missing the real point here.
We don't re-spin install media in Fedora, that means that if a remote root
hole is found 2 days after release, what do we do? (the current answer is
nothing). Perhaps the correct answer is to have firstboot update the system
for a user (do it in the background so they can still login do things). If
firstboot can't update the system, it's likely there is no Internet
connection anyway.
--
JB
More information about the security
mailing list