On Sunday, February 16, 2020 12:25:01 PM MST Neal Gompa wrote: > On Sun, Feb 16, 2020 at 2:23 PM John M. Harris Jr <johnmh@xxxxxxxxxxxxx> > wrote: > > > > > > On Sunday, February 16, 2020 12:19:41 PM MST Chris Murphy wrote: > > > > > On Sun, Feb 16, 2020 at 11:08 AM John M. Harris Jr > > > <johnmh@xxxxxxxxxxxxx> > > > wrote: > > > > > > > > > > > > > > > > > > > On Thursday, February 13, 2020 1:34:32 PM MST Chris Murphy wrote: > > > > > > > > > > > > > > > > > But the contra argument is, well what if there is an urgent > > > > > security > > > > > fix? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The repo metadata, I guess, needs some way of distinguishing urgent > > > > > vs > > > > > non-urgent security updates, so that GNOME Software knows whether > > > > > to > > > > > notify the user accordingly. But is there a reliable way of > > > > > distinguishing between urgent and non-urgent security updates? I'd > > > > > informally suggest "urgent" is something that should be applied > > > > > today > > > > > or tomorrow. Anything else can wait a week or two. > > > > > > > > > > > > > > > > > > > > > > > > That's an entirely subjective thing. I'd recommend prompting to > > > > install > > > > ALL security updates immediately, but why not just give the user an > > > > option for security updates? This is what Mac and Windows do, and it > > > > makes sense because it's really the user's opinion of security > > > > updates > > > > that matter on their system. > > > > > > > > > > > > > > > Windows has a weekly security and virus definitions update, not every > > > day. Windows Home has no user visible opt out. macOS separates minor > > > version updates and security updates, security updates aren't more > > > often than every few weeks. There's a very rare category of critical > > > security updates that Apple can forcibly push onto user's machine > > > without consent. > > > > > > > > > > > > The complaint on Fedora Workstation relates to frequent, sometimes > > > daily, update notifications because a package has a security related > > > update. The question is how to reduce this to once a week. > > > > > > > > If that's the question, that's what you should have asked. Really, that's > > not something that should be done. Security updates are called security > > updates for a reason. > > > > > > > Yes they are, but it's also about sensible risk management. Most home > users can put off *most* updates (security or otherwise) for a month > without too much worrying. Business users may have a different risk > profile, depending on network topology and other factors. That's for the user to decide. In my opinion, if they're taking that device off of their home network, their risk profile changes dramatically. -- John M. Harris, Jr. Splentity _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
