On Fri, 2010-11-12 at 20:03 +0100, Till Maas wrote: > On Mon, Nov 01, 2010 at 10:09:17AM -0700, Adam Williamson wrote: > > > I disagree. The evidence you cite does not support this conclusion. We > > implemented the policies for three releases. There are significant > > problems with one release. This does not justify the conclusion that the > > policies should be entirely repealed. > > It was brought to my attention that also current Fedora releases have > problems with delaying important security updates. A fix for a remote > code execution vulnerability in proftpd was only pushed to stable with a > seven day delay: > https://admin.fedoraproject.org/updates/proftpd-1.3.3c-1.fc13 > https://admin.fedoraproject.org/updates/proftpd-1.3.3c-1.fc14 > > And it is not a theoretical threat, I know that servers in the nearby > area have been exploited because of this vulnerability. Delaying such > updates seems to be a very bad idea. Even in the unlikely case that the > update was broken and made proftpd not start anymore, this is usually > not as bad as having the system corrupted by an evil attacker. Thanks for flagging this up. I'm wondering if perhaps we should devise a system - maybe a sub-group of proventesters - to ensure timely testing of security updates. wdyt? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
