On Thu, 21 Apr 2011 10:51:16 +0300 Axel Thimm <Axel.Thimm@xxxxxxxxxx> wrote: > On Wed, 2011-04-20 at 12:26 -0600, Kevin Fenzi wrote: > > The various update streams flow differently. For a normal day, > > EPEL4/5/6 might have about 2-20 updates. It might be practical to > > look at all these for a quick glance. f14 (updates and testing) has > > around 30-50ish. f13 has around 5-20, and f15 has too many to even > > count. ;) It's just not at all practical to have the people signing > > the updates look at each one for critera. > > Are all these security updates? I'm only arguing in favour of a > fastlane method for security updates. No, but the bodhi interface doesn't seperate them. You can push testing or stable for each release, and it basically gives you a long list of packages that are pending for those states. Then you sign them and push them out. To review security ones we would have to have it seperate them out, print out a url for each and have to review each one. > The package in question may not be used by many people, but may have > severe security implications. If the user count is low you will not > find many or any users to karma it up, or even a proventester, OTOH > the users that do have this package in operation will be exposed > until the package sits off its time in testing - where probably no > one will have given it a go anyway. You may also not want to > advertise the security issues too loudly: You don't only attract > testers that way, but also exploiters. Sure, but it's always an issue with projects like Fedora. You commit a fix to a security issue, someone watching commits can see it right then, before the package is even built much less pushed to stable. It might be nice if we had a group of testers specifically testing security updates. That way they could check the CVE and commit and test the package out to get them moved as quickly as possible. Not sure how to create such a group however. kevin
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
