Re: Security release criterion proposal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Adam Williamson wrote:
> Hey, all. The topic of whether and which security issues should block
> releases has come up several times before.

Indeed it has. The decision was always that it's not a good idea. I don't 
see how the situation has changed to warrant beating that dead horse again.

> # There must be no known remote code execution vulnerability which could
> be exploited during installation or during use of a live image shipped
> with the release

This is just completely and utterly moot considering that there are going to 
be many more unknown vulnerabilities than known ones, and that several of 
those are inevitably going to come up during the 6-month lifetime of a 
release.

It's impossible to ship an exploit-free release just like it's impossible to 
ship a bug-free release.

We have a process for security fixes, it's called "updates". I don't see how 
a 0-day update wouldn't be an appropriate resolution for a security issue.


Now if you are talking about NTH, then yes, security fixes should be NTH. 
Maybe even all of them. But I don't think we should be blocking or delaying 
any release for them. We can't fix them all anyway.

        Kevin Kofler

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux