Security release criterion proposal

Adam Williamson awilliam at redhat.com
Thu May 19 03:00:36 UTC 2011


On Thu, 2011-05-19 at 10:00 +0800, Eugene Teo wrote:

> I say, local privilege escalations with publicly available exploits, and
> remotely triggerable vulnerabilities. If such an issue is known before
> Final, we should attempt to address it before releasing.

Note, a release criterion would have a stronger result: you say 'attempt
to address it before releasing', but the effect of a release criterion
is that issues which breach it *must* be fixed before we release; the
release would slip until it was addressed. If you want a weaker effect,
the NTH process (which works off more flexible 'principles' rather than
strict criteria) is appropriate: an NTH bug is one for which we will
break a release freeze to take a fix, but which doesn't block the
release (if a fix isn't ready in time, we still go ahead and release).

Once we have consensus on a release criterion - or not having a release
criterion - I'll make a follow-up proposal for an NTH principle to cover
less serious security issues.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net



More information about the test mailing list