On Wed, Sep 22, 2010 at 6:31 PM, Bruno Wolff III <bruno@xxxxxxxx> wrote: > On Wed, Sep 22, 2010 at 17:27:43 +0200, > drago01 <drago01@xxxxxxxxx> wrote: >> On Wed, Sep 22, 2010 at 5:04 PM, Bruno Wolff III <bruno@xxxxxxxx> wrote: >> > On Wed, Sep 22, 2010 at 17:01:02 +0200, >> > Tomas Mraz <tmraz@xxxxxxxxxx> wrote: >> >> I say that the example of Webkit should be removed because if it is not >> >> possible to backport the security patch and due to the version update >> >> Midori has to be updated to a new version regardless of the changes of >> >> user experience. The part of the example "judgement call based on how >> >> intrusive the changes are" does not make any sense. We just cannot keep >> >> the old insecure version regardless on how intrusive the changes are. >> > >> > Security isn't binary. It may be that a security update addresses an issue >> > that can not happen in normal cases. It might be reasonable to just document >> > the cases where there is a problem so as to warn people not to do that. >> >> NO, security issues ought to be *fixed* not just documented. > > All bugs ought to be fixed. That doesn't mean that if the cost to fix is high, > other alternatives aren't acceptible. In case of a security issue a random note somewhere "don't do that" is not acceptable ... that's all I am saying here. You are leaving users at risk by assuming that they will read that notice (note: most wont). -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
