On Wed, 2009-11-18 at 18:03 -0500, Jeff Garzik wrote: > On 11/18/2009 05:51 PM, Rahul Sundaram wrote: > > On 11/19/2009 04:19 AM, Richard Hughes wrote: > >> 2009/11/18 Seth Vidal<skvidal@xxxxxxxxxxxxxxxxx>: > >>> Richard, > >>> to be fair, when I asked you how to edit a .pkla file you couldn't tell me. > >>> So, if our engineers don't know the basics, how should our users? > >> > >> Fair comment. Release notes additions might be good in this regard. > > > > It should have been announced and documented with the rationale for the > > change *before* the release. Just pretending that everyone should know > > about how PolicyKit works when documentation is just lacking doesn't cut > > it. You didn't even respond to by bugzilla comment and just closed the > > Agreed 100.1%. > > > > bug. We will still do a post-release update for the release notes now > > but that's scrambling to minimize damage. > > The only thing that will fix the damage is to update PK, reverting the > default-insecure policy. > > May I remind folks that it is easy to UPGRADE INTO INSECURITY here. > Admins with servers, coming from F10/F11, can very easily fall into this > trap simply by updating their current systems. > > Jeff Has anyone drafted a notice to go out on the Announce List explaining this vulnerability? If admins don't know to fix/remove PK then they are putting their systems at risk. --Eric
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
