On Fri, 12 Nov 2010 12:02:03 -0800 Adam Williamson <awilliam@xxxxxxxxxx> wrote: > On Fri, 2010-11-12 at 14:54 -0500, Simo Sorce wrote: > > > Adam why should security updates wait at all ? > > Do you fear some packager will flag as security updates that are > > not ? Surely we can deal with such maintainer if that happens... > > I don't have a hugely strong opinion either way, but the stated reason > by those who do is that security updates can be broken just like any > other. We don't have a magic 'infallible' switch on packagers which we > toggle only when they're building a security update. :) Oh sure I don't doubt that. But in this case we need to deal with the lesser evil. Is it more important to close a security bug with a (small) risk of breaking a package ? Or is it more important to (try to) test it and leave our users exposed for a long time to a security threat ? If we are not comfortable with treating all security issues the same we can have a flag that skips testing only for "remote exploit" type of security issues. That will reduce the number of exception to the most dangerous cases. What do you think ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel