Matthew Miller (mattdm@xxxxxxxxxxxxxxxxx) said: > On Wed, Sep 14, 2016 at 08:50:49PM +0100, Richard Hughes wrote: > > before pushing the next update? Three people gave the update positive > > karma and I can't believe all three did so without actually opening a > > JPEG-2000 image in any GTK-using or KDE-using app so there might be > > something more subtle going on. > > The update note says this fixes a bunch of CVEs, and there's no test > plan (https://fedoraproject.org/wiki/QA:SOP_package_test_plan_creation), > so testers have no guidance. The included conversion command works, and I > can use `display` to verify that the converted file looks okay. > > I'm not saying this update should have been pushed — but I don't think > it's _necessarily_ that the testers were hitting +1 without doing > anything. I honestly think this is as much of a developer issue as a tester issue. If the CVE fix was to silently change the API/ABI of the library, that's on either upstream or downstream, depending on where the fix came from. Yes, you'd like testers to catch that, but it's the sort of update that ideally doesn't happen to begin with. Bill -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
