Re: developing the "critical updates repo" plan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, May 23, 2014 at 10:01:46AM -0400, Eric H. Christensen wrote:
> I dislike the idea of a separate repo for ultra-critical updates.  Once a
> fix is available for a vulnerability it should, IMO, be shipped as soon as
> possible. I know this doesn't fit into the Microsoft model or our model of
> community testing but really as soon as you go public with a fix you've
> also just notified all the "bad guys" out there to the vulnerability and
> exactly how to exploit it. It's a race condition at that point.

I'm not sure I follow here. What do you dislike? This isn't meant to be a
hidden repo -- it's the "ship as soon as possible!" repo, so it sounds like
you're agreeing.

> I'd much prefer to have a mechanism in place that allows these fixes to be
> pushed to the repos almost immediately (once they've been properly
> tested). I'm not exactly sure how this can work but perhaps having QE
> tested patches packaged and ready for the embargo time would meet Release
> Engineering's criteria for testing?

Right, exactly -- that's the mechanism I'm looking for.

-- 
Matthew Miller    --   Fedora Project    --    <mattdm@xxxxxxxxxxxxxxxxx>
                                  "Tepid change for the somewhat better!"
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux