Adam Williamson wrote: > Hey, all. The topic of whether and which security issues should block > releases has come up several times before. Indeed it has. The decision was always that it's not a good idea. I don't see how the situation has changed to warrant beating that dead horse again. > # There must be no known remote code execution vulnerability which could > be exploited during installation or during use of a live image shipped > with the release This is just completely and utterly moot considering that there are going to be many more unknown vulnerabilities than known ones, and that several of those are inevitably going to come up during the 6-month lifetime of a release. It's impossible to ship an exploit-free release just like it's impossible to ship a bug-free release. We have a process for security fixes, it's called "updates". I don't see how a 0-day update wouldn't be an appropriate resolution for a security issue. Now if you are talking about NTH, then yes, security fixes should be NTH. Maybe even all of them. But I don't think we should be blocking or delaying any release for them. We can't fix them all anyway. Kevin Kofler -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel