Re: FESCo wants to ban direct stable pushes in Bodhi (urgent call for feedback)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2010-03-03 at 01:34 +0100, Björn Persson wrote:
> Adam Williamson wrote:
> > you can try and cherry-pick security updates, but then you get the
> > problem where initial release has Foobar 1.0, then Foobar 3.5 gets
> > shipped in updates, then a security problem emerges and Foobar 3.5-2
> > with the security fix gets shipped in updates. You now have a choice of
> > unsecure Foobar 1.0, or completely new version Foobar 3.6.
> 
> There's also the other variant where a security problem is found in Foobar 1.0 
> but the problem isn't present in Foobar 3.0 and later. Upstream still supports 
> the 1.0 branch and releases Foobar 1.0.4 to fix the problem, but no security 
> update is released for Fedora since there is no problem in the latest Fedora 
> package. The Fedora user who chose not to upgrade Foobar won't even know that 
> there is a security problem.

 This isn't a hard problem, 3.0 should then be marked as a security
update. Sure it sucks that you have to go from 1.0.4 to 3.0, and
presumably a lot will change, but that's Fedora.
 On the other hand if "yum --security update" does not fix the known
security problems on your system, that's a huge exploit waiting to
happen ... and one I doubt any users know about.
 I've sent a query to security@ to clarify.

-- 
James Antill - james@xxxxxxxxxxxxxxxxx
http://yum.baseurl.org/wiki/releases
http://yum.baseurl.org/wiki/whatsnew/3.2.27
http://yum.baseurl.org/wiki/YumMultipleMachineCaching
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux