On Tue, Aug 01, 2017 at 03:09:22PM -0400, Randy Barlow wrote: > > Also, if I mark a security update as low priority, that means it > > really is low priority. There's no need for many security updates to > > skip batched. Many are e.g. minor DoS vulnerabilities that are > > unlikely to be exploited ever, let alone in the next two weeks. Of > > course remote code execution problems should probably skip batched, > > but those are unlikely to be marked as low priority. ;) > I feel a bit on the fence about this, but I see that mattdm +1'd it. If > you feel strongly about it, please comment on the pull request to this > effect. I think this is why we don't just automatically make security fixes all high priority but instead have a separate field. Many security updates fix problems which only happen in unlikely configurations, or have extremely minor consequences. (Exploits which get you the exact level of privilege you had in the first place, for example.) Of course, this does require packagers to think a little more in classifying their updates. Maybe we could add a little bit of text explaining what our norms are for but security and bugfix severity. I'd look to the security team for wording. (Hmmm. And should enhancement and new packages _get_ a severity option? Maybe that should be locked to "unspecified"?) -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
