On Wed, 2011-05-18 at 19:22 +0200, Kevin Kofler wrote: > Adam Williamson wrote: > > Hey, all. The topic of whether and which security issues should block > > releases has come up several times before. > > Indeed it has. The decision was always that it's not a good idea. I don't > see how the situation has changed to warrant beating that dead horse again. > > > # There must be no known remote code execution vulnerability which could > > be exploited during installation or during use of a live image shipped > > with the release > > This is just completely and utterly moot considering that there are going to > be many more unknown vulnerabilities than known ones, and that several of > those are inevitably going to come up during the 6-month lifetime of a > release. That's certainly a valid concern; does anyone have hard data on this? Either way, it's certainly worth considering that we can do nothing about issues that come to light after release, in relation to the installer and live image. > We have a process for security fixes, it's called "updates". I don't see how > a 0-day update wouldn't be an appropriate resolution for a security issue. > Now if you are talking about NTH, then yes, security fixes should be NTH. > Maybe even all of them. But I don't think we should be blocking or delaying > any release for them. We can't fix them all anyway. No, this would be release blocker stuff, not NTH. But I'm floating a balloon here; if most agree with you, we could consider adding security issues to the NTH principles instead. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
