-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, Jul 15, 2013 at 09:35:02PM -0400, Matthew Miller wrote: > Hi security team. I'm working on > > https://fedoraproject.org/wiki/Changes/VisibleCloud > > which proposes promoting the Fedora Cloud image on basically equal footing > with the desktop download. Daniel Berrange gave the useful feedback that > while installation-based distribution allows one to install updates at build > time, image-based distribution means that the image must be booted to apply > updates, giving a window of insecurity. (Unless careful measures are taken.) Yeah, I can see this as being a concern. The risk will more than likely be a small due to the window of time involved but it's always a good to ship the fixes when they exist. > When there was a security issue with the previous Fedora image, we did do a > fire-drill with an adhoc respin and pushed new images. Dan suggests that we > develop (in coordination with the qa and release engineering teams) a > security policy for updates to the cloud image. Each CVE receives a CVSSv2 score in BZ. This *could* be used as a way to determine which vulnerability patches should go into your spin. Of course this may end up with more updates that needed being that you might be patching software that would necessarily run at boot time or be vulnerable immediately. It's a place to start, IMO, though. - -- Eric - -------------------------------------------------- Eric "Sparks" Christensen Fedora Project - Red Hat sparks@xxxxxxxxxx - sparks@xxxxxxxxxxxxxxxxx 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQGcBAEBCgAGBQJR5L8rAAoJEB/kgVGp2CYvV88L/3cKIdH3sqFU7tvsvlYJxd8P Cf+wOJTiFkf5ZPUH43/3Gx8fOVqv4+vuhj56AsMB+DnQVCjbKuwP16ilLTve/gAh uJOKAV+doPB7FgFmoLscDVxig8QbSH/rCCQ7M2hG2EPjhEmZNoVlRcdmQEa9GkYG s3NKLUmJnnBzInZBDRVQ7a3KJz7fTiJAggKXkjAsPxFgnMhqe+3WIgooucd5EstO VVqYcXN2MgUJmmlsqWN7Q6k0uVnL/MasL3mbT4hrA5ZV/hvowEEBGp7tGpR4Pizo k+FUSXqMCmZgZh9Qxaem0BiiVQmcxesZW3QS4RXWRMrc/26GnmtJjF6Rg12KhMjg 6UfSh+SP4oE9t6ItI18pRHE+2WamfddFT+pyCo24O6yeXnH5bWyevy/d4GOyR8mK yDxGSQTl/YAr/So9KYPsF3cu29Fep66oQ8mjYCgdkgTiz96D1mKiXPEBUHKFCcdi sZFgRfRqgFO5Jf59t+sEa7pyb9YBf7e0Rv7/0TKrcQ== =p2r+ -----END PGP SIGNATURE----- -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
