Re: Security release criterion proposal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Adam Jackson wrote:
> The difference between a known and an unknown security bug is that, if
> _you_ know about it, it's virtually certain that someone malicious
> already does too.
> 
> We can't avoid unknown risk exposure.  You're arguing for ignoring known
> risk exposure entirely.  Seems a touch irresponsible.

"Unknown" risk exposure can become known after the release and we'd have to 
respin all our images for every single security fix to address that. This is 
just not practical.

> Also: twelve month.

13 months if you go by that metric, but the 6 months I mentioned are the 
time between 2 releases, i.e. the time that can pass in the worst case until 
we release fixed images.

        Kevin Kofler

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux