On Mon, 09 Aug 2004 00:56:54 +0200, Arjan van de Ven <arjanv@xxxxxxxxxx> wrote: > it's a balancing act; do we delay the serious security hole fixes a day > or not..... it's not an easy question. Right now the severity of the > security problem made me decide against a day in testing but instead go > live right away (based on a kernel that has been in rawhide for over a > week). I hope you understand that that is a judgement call on a case by > case basis (yes I know lame argument), but the fact that this security > issue was going public with an exploit made me and Dave decide to go > live instantly and not after 24 or 48 hours. I understand its case by case and i also understand that anything security related adds layers of complexity when trying to discuss the ramifications. But I'm not so sure the current way fedora is handling crisis updates is really in balance at all. The move away from security backporting and a loss of a coherent way to get people update notices they can read before the updates become available for install throws the balance off a great deal from what has come before. And frankly, the change in how upstream kernel development is going to process new features into the stable tree isn't going to make situations like this any better. Perhaps you can find a compromise here for the kernel, and release a weekly test kernel to updates-testing. Not with the intent of definitely releasing that kernel as updates-released. But so people can get a heads-up on changes of kernel features and document them in a faq so if you do have to push a crisis update major changes in how the kernel deals with hardware the faq can be referenced in the notice. -jef