Re: Security release criterion proposal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2011-05-18 at 13:37 -0400, Adam Jackson wrote:
> On 5/18/11 1:22 PM, Kevin Kofler wrote:
> > Adam Williamson wrote:
> >> # There must be no known remote code execution vulnerability which could
> >> be exploited during installation or during use of a live image shipped
> >> with the release
> >
> > This is just completely and utterly moot considering that there are going to
> > be many more unknown vulnerabilities than known ones, and that several of
> > those are inevitably going to come up during the 6-month lifetime of a
> > release.
> 
> The difference between a known and an unknown security bug is that, if 
> _you_ know about it, it's virtually certain that someone malicious 
> already does too.
> 
> We can't avoid unknown risk exposure.  You're arguing for ignoring known 
> risk exposure entirely.  Seems a touch irresponsible.
> 
> Also: twelve month.

Well, I think his point is that it's almost certain that some 'unknown'
exposures will become 'known' during the life cycle of a release, at
which point the live images we release three months previously are
vulnerable to a known security exploit and there's exactly nothing we
can do about it - so worrying about the ones we _can_ fix at release
time becomes less important, when viewed from that perspective. It's a
good point.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux