-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, May 22, 2014 at 11:26:07AM -0400, Matthew Miller wrote: > See <https://fedorahosted.org/rel-eng/ticket/5886>. In short, the time to do > an updates compose and push (plus sync times to mirrors) severely limits our > ability to put out critical updates quickly. Would anyone be interested in > filling out a plan for an alternate repository which would use a special > expedited process to make ultra-critical updates available more quickly? I dislike the idea of a separate repo for ultra-critical updates. Once a fix is available for a vulnerability it should, IMO, be shipped as soon as possible. I know this doesn't fit into the Microsoft model or our model of community testing but really as soon as you go public with a fix you've also just notified all the "bad guys" out there to the vulnerability and exactly how to exploit it. It's a race condition at that point. I'd much prefer to have a mechanism in place that allows these fixes to be pushed to the repos almost immediately (once they've been properly tested). I'm not exactly sure how this can work but perhaps having QE tested patches packaged and ready for the embargo time would meet Release Engineering's criteria for testing? - -- Eric - -------------------------------------------------- Eric "Sparks" Christensen Red Hat, Inc - Product Security Team sparks@xxxxxxxxxx - sparks@xxxxxxxxxxxxxxxxx 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - -------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJTf1THAAoJEB/kgVGp2CYveoQL/2bsR6TYYGYJcK15+8dVHKc0 OO5MZmrVunH7Uml72Qxo661wsdcgdjjfUC9W1bZHjKUQhSQJ7jPmCku5TJEvGMJk cWAFJ6/uhUuhW2yih/STCRhXNcbnP/8VSFhGsQsmJhQyPA/3XZw3JDJUrq5p9ozX QH3BuJjiXyplJolOjYQVsdjU0fuGFKKnnY6NK2FA4+RYpGWR8yvDEkn9vGINf7fs EEkZ9A5zrPi/qkxGVXgUeLf9QvPztwmgetpIy02iWY7vxFnFcNIIuQIdhNAO88cN g2Id/h1shWK+OqdtbSPD3fLGzAPLYziDPS3/GCGT0kWrKVRYvakH93Z5mGpmgA1x ghRkap1FoqFcFZfLQD4gBhgtSAUZkM6RYgTxI+W7XWXcs5zDitonzUHJK+MCMlDp bZIX8TCt/qIlIJEhcXaRu7BP6xw46WhOiMwmCXpPsxKcVUR3nqa2PABdC2TQ91rS tr9Jf5K2oD1shfgTUMQTA0vqHR5H00b1J4eG6G3Yew== =OYo7 -----END PGP SIGNATURE----- -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
