On Mon, Jul 15, 2013 at 12:21:11PM -0600, Kevin Fenzi wrote: > > That seems reasonable. I'll talk to the security team. > And QA and releng? ;) Sure, but see below for why I said that specifically. :) > I'm worried about the additional work this might cause unless we are > very narrow in what requires an image update. Is it: > * Security update in any package in the cloud image? > or > * Security update in any package in the cloud image that is 'remote' > vulnerabilty? > or > * Security update in any exposed package with a remote vulnerability? > (ie, kernel and openssh and firewalld or the like). > or something else? I think it's a narrower version of the final, with only updates meeting a certain level of criticality as determined by the security team warranting a respin. (Probably roughly equivalent to "critical impact" in Red Hat's issue severity classification.) -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@xxxxxxxxxxxxxxxxx> -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
