Kevin Kofler wrote:
Les Mikesell wrote:
For my example of the late FC6 update, the machine didn't boot. I'd say
that's clearly a 'known broken' state at that point. But not much
more than that is clear. Why does that have to happen to more than one
machine?
Because if we block/unpush/whatever updates based on a single report of
brokenness, all Joe Evil Cracker needs to do to break into your machine is
to wait for a security issue in OpenSSH or some other security-critical
software, report the security update as "broken" and then exploit the hole.
There would also be other kinds of vandals or jokesters who'd incorrectly
report updates as "broken" just for fun.
What does it take then, if you don't believe reports? It wasn't
something you had to guess about. Any machine with certain types of
scsi controllers would have exhibited the problem. Could you establish
a list of trusted reporters with an assortment of hardware where you
could bounce requests to reproduce problems to make them believable?
--
Les Mikesell
lesmikesell@xxxxxxxxx
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
