Re: developing the "critical updates repo" plan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, May 22, 2014 at 11:26:07AM -0400, Matthew Miller wrote:
> See <https://fedorahosted.org/rel-eng/ticket/5886>. In short, the time to do
> an updates compose and push (plus sync times to mirrors) severely limits our
> ability to put out critical updates quickly. Would anyone be interested in
> filling out a plan for an alternate repository which would use a special
> expedited process to make ultra-critical updates available more quickly?

I dislike the idea of a separate repo for ultra-critical updates.  Once a fix is available for a vulnerability it should, IMO, be shipped as soon as possible.  I know this doesn't fit into the Microsoft model or our model of community testing but really as soon as you go public with a fix you've also just notified all the "bad guys" out there to the vulnerability and exactly how to exploit it.  It's a race condition at that point.

I'd much prefer to have a mechanism in place that allows these fixes to be pushed to the repos almost immediately (once they've been properly tested).  I'm not exactly sure how this can work but perhaps having QE tested patches packaged and ready for the embargo time would meet Release Engineering's criteria for testing?

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Red Hat, Inc - Product Security Team

sparks@xxxxxxxxxx - sparks@xxxxxxxxxxxxxxxxx
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJTf1THAAoJEB/kgVGp2CYveoQL/2bsR6TYYGYJcK15+8dVHKc0
OO5MZmrVunH7Uml72Qxo661wsdcgdjjfUC9W1bZHjKUQhSQJ7jPmCku5TJEvGMJk
cWAFJ6/uhUuhW2yih/STCRhXNcbnP/8VSFhGsQsmJhQyPA/3XZw3JDJUrq5p9ozX
QH3BuJjiXyplJolOjYQVsdjU0fuGFKKnnY6NK2FA4+RYpGWR8yvDEkn9vGINf7fs
EEkZ9A5zrPi/qkxGVXgUeLf9QvPztwmgetpIy02iWY7vxFnFcNIIuQIdhNAO88cN
g2Id/h1shWK+OqdtbSPD3fLGzAPLYziDPS3/GCGT0kWrKVRYvakH93Z5mGpmgA1x
ghRkap1FoqFcFZfLQD4gBhgtSAUZkM6RYgTxI+W7XWXcs5zDitonzUHJK+MCMlDp
bZIX8TCt/qIlIJEhcXaRu7BP6xw46WhOiMwmCXpPsxKcVUR3nqa2PABdC2TQ91rS
tr9Jf5K2oD1shfgTUMQTA0vqHR5H00b1J4eG6G3Yew==
=OYo7
-----END PGP SIGNATURE-----
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux