new f19/f20 images

drago01 drago01 at gmail.com
Thu Apr 17 13:11:38 UTC 2014 

On Thu, Apr 17, 2014 at 3:02 PM, Chuck Anderson <cra at wpi.edu> wrote:
> On Thu, Apr 17, 2014 at 02:52:41PM +0200, drago01 wrote:
>> On Thu, Apr 17, 2014 at 2:51 PM, Chuck Anderson <cra at wpi.edu> wrote:
>> > On Wed, Apr 16, 2014 at 11:23:15PM +0200, drago01 wrote:
>> >> On Wed, Apr 16, 2014 at 9:11 PM, Kevin Fenzi <kevin at scrye.com> wrote:
>> >> > Greetings.
>> >> >
>> >> > We have new f19/f20 images with openssl updated, and they appear to be
>> >> > default/live already.
>> >> >
>> >> > Were we waiting for some testing runs on them before announcing?
>> >> > (Which we should have done before making them live, imho)
>> >> >
>> >> > Or did that already happen?
>> >> >
>> >> > Did we want to do a full test cycle on them?
>> >> > Or just openssl related actions?
>> >>
>> >> Huh?
>> >>
>> >> Since when do we do something like this? Sounds like an over reaction to me.
>> >> Installing (security) updates is the first thing you should do after
>> >> installing anyway and besides who decided this and when?
>> >> What are the criteria for doing updated images?
>> >
>> > Live images can't be updated...
>>
>> 1) They can
>> 2) Live images are not supposed be used for production ..
>
> 1) Sure if you have a persistent live image on a USB I suppose.  But
> with CD/DVD media, you cannot update and then reboot as is necessary
> to fix the issue.  You can manually restart all processes/services
> that were linked against the old openssl I suppose, but you would have
> to go through this dance after every single boot to remove this
> vulnerability.

Which service do we install and run by default that uses OpenSSL and
is configured to use SSL on the live media?
-> Answer is none.

> 2) Live images could be used to rescue/repair a production
> environment,

See above.

> or could be used as a client to access a production
> environment.  For example one could be using "curl" which is linked
> against the bad openssl.

curl is a client.

> We shouldn't leave our users exposed if they
> decide to use a live image, especially since I don't think it is
> documented anywhere that "these images are unsuitable for use in a
> production environment".

There are unsuitable by their very nature of being live images.

More information about the test mailing list