Security release criterion proposal

Josh Bressers bressers at
Thu May 19 12:57:46 UTC 2011

----- Original Message -----
> I say, local privilege escalations with publicly available exploits, and
> remotely triggerable vulnerabilities. If such an issue is known before
> Final, we should attempt to address it before releasing.

I think it makes sense to address these prior to a release (on a case by
case basis), but I think we're missing the real point here.

We don't re-spin install media in Fedora, that means that if a remote root
hole is found 2 days after release, what do we do? (the current answer is
nothing). Perhaps the correct answer is to have firstboot update the system
for a user (do it in the background so they can still login do things). If
firstboot can't update the system, it's likely there is no Internet
connection anyway.


More information about the test mailing list