On Thu, 2011-05-19 at 10:00 +0800, Eugene Teo wrote: > I say, local privilege escalations with publicly available exploits, and > remotely triggerable vulnerabilities. If such an issue is known before > Final, we should attempt to address it before releasing. Note, a release criterion would have a stronger result: you say 'attempt to address it before releasing', but the effect of a release criterion is that issues which breach it *must* be fixed before we release; the release would slip until it was addressed. If you want a weaker effect, the NTH process (which works off more flexible 'principles' rather than strict criteria) is appropriate: an NTH bug is one for which we will break a release freeze to take a fix, but which doesn't block the release (if a fix isn't ready in time, we still go ahead and release). Once we have consensus on a release criterion - or not having a release criterion - I'll make a follow-up proposal for an NTH principle to cover less serious security issues. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
