On Wed, Sep 22, 2010 at 8:35 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > On Wed, 22 Sep 2010 12:12:54 -0500 > Bruno Wolff III <bruno@xxxxxxxx> wrote: > >> On Wed, Sep 22, 2010 at 18:58:25 +0200, >> drago01 <drago01@xxxxxxxxx> wrote: >> > >> > In case of a security issue a random note somewhere "don't do that" >> > is not acceptable ... that's all I am saying here. >> > You are leaving users at risk by assuming that they will read that >> > notice (note: most wont). >> >> I disagree. There are lots of degrees to security bugs. How they are >> handled depends on the cost of fixing the issue and the impact of the >> bug. These tradeoffs are made all of the time. > > I agree with Bruno here. > > Security updates are very important and should be given a pretty high > weight in general, but there are lots of further factors: > > - Does the security issue not affect fedora in it's default > configuration? > - Is there a way to backport the fix to the current version instead of > taking a vastly changed upstream head package version? > - Can some minor/not very used part of the existing package be disabled > to prevent the security issue from being a problem? > > Few things are black and white. Might be true but a random notice on some website / mailinglist / $whatever is NOT a fix. period. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
