developing the "critical updates repo" plan
Matthew Miller
mattdm at fedoraproject.org
Fri May 23 14:16:41 UTC 2014
On Fri, May 23, 2014 at 10:01:46AM -0400, Eric H. Christensen wrote:
> I dislike the idea of a separate repo for ultra-critical updates. Once a
> fix is available for a vulnerability it should, IMO, be shipped as soon as
> possible. I know this doesn't fit into the Microsoft model or our model of
> community testing but really as soon as you go public with a fix you've
> also just notified all the "bad guys" out there to the vulnerability and
> exactly how to exploit it. It's a race condition at that point.
I'm not sure I follow here. What do you dislike? This isn't meant to be a
hidden repo -- it's the "ship as soon as possible!" repo, so it sounds like
you're agreeing.
> I'd much prefer to have a mechanism in place that allows these fixes to be
> pushed to the repos almost immediately (once they've been properly
> tested). I'm not exactly sure how this can work but perhaps having QE
> tested patches packaged and ready for the embargo time would meet Release
> Engineering's criteria for testing?
Right, exactly -- that's the mechanism I'm looking for.
--
Matthew Miller -- Fedora Project -- <mattdm at fedoraproject.org>
"Tepid change for the somewhat better!"
More information about the security
mailing list