On Sat, Apr 18, 2015 at 12:35 PM, Jerry Bratton <JerryLBratton@xxxxxxxx> wrote: > I'm concerned about how long it takes security updates to make it to users > under Fedora's current policies (which generally allow such updates the > possibility of sitting in testing for 14 days, or even longer). > > Just one example is the Firefox 37.0.1 update for Fedora 20: > https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1.fc20 > > The currently available version of Firefox in Fedora 20 has a critical > vulnerability which allows a man-in-the-middle attacker to impersonate any > HTTPS website. In this context, shouldn't security concerns win out over the > worry that there might be some regression? We already know there's a serious > problem in the current package, so why do we have to wait 14 days just > because there might be some problem in the new package? > > Shouldn't this policy be revised? I thought a packager already has the ability to push something to stable without any delay? It's just not the default. Is that incorrect? I think in the case of an upstream like FireFox where we can pretty much be assured that they've escalated a critical security update before any other pending updates, that it's completely reasonable for the packager to take advantage of any policy that lets them bypass updates-testing. -- Chris Murphy -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
