Currently, security updates can take days to get to users. In particular, Firefox and Thunderbird often take a day or more, even though virtually every single update contains security fixes. We need to ensure that security updates reach stable within hours of an upstream advisory. Ideally, we should get predisclosure access to source code, so that we have packages ready to distribute the moment the announcement is made. Failing that, we need to start the build as soon as source code is available, and distribute packages as soon as they have been built for the architecture in question. And we need to devote enough resources to the build that it completes quickly. We also need to invalidate old metadata hashes whenever a security update happens. This means that updates must propagate across the update network within an hour or less, preferably minutes. How can this be accomplished? I know that substantial releng and QA effort will be needed, along with close coordination with package maintainers and upstream developers. That said, I have virtually never noticed a regression, so I consider getting a security update out quickly to be much more important. Finally, some packages should have all updates considered as security updates. This includes anything based on a web browser (Firefox, Thunderbird, SeaMonkey, Chromium, webkit2gtk, etc), as well the Linux kernel itself. Virtually every update of these packages fixes security vulnerabilities, so updates to them should be considered security updates and treated as such. Sincerely, Demi _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx