Am 19.04.2015 um 00:53 schrieb Chris Murphy:
On Sat, Apr 18, 2015 at 12:35 PM, Jerry Bratton <JerryLBratton@xxxxxxxx> wrote:I'm concerned about how long it takes security updates to make it to users under Fedora's current policies (which generally allow such updates the possibility of sitting in testing for 14 days, or even longer). Just one example is the Firefox 37.0.1 update for Fedora 20: https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1.fc20 The currently available version of Firefox in Fedora 20 has a critical vulnerability which allows a man-in-the-middle attacker to impersonate any HTTPS website. In this context, shouldn't security concerns win out over the worry that there might be some regression? We already know there's a serious problem in the current package, so why do we have to wait 14 days just because there might be some problem in the new package? Shouldn't this policy be revised?I thought a packager already has the ability to push something to stable without any delay? It's just not the default. Is that incorrect? I think in the case of an upstream like FireFox where we can pretty much be assured that they've escalated a critical security update before any other pending updates, that it's completely reasonable for the packager to take advantage of any policy that lets them bypass updates-testing
and a interesting question is why 37.0.2 available on koji is not at bodhi at all so nobody can give karma (if easy-karma works randomly as yesterday while not most of the time for week snow)
the permanent timeouts of fedora-easy-karma are a real problem because i guess i am not the only one running updates-testing all the time don't open bodhi and seek for each installed testing updat eto give karma
Apr 17 01:43:44 Updated: firefox-37.0.2-1.fc21.x86_64
Attachment:
signature.asc
Description: OpenPGP digital signature
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
