On Fri, Apr 17, 2020 at 1:01 am, Demi M. Obenour
<demiobenour@xxxxxxxxx> wrote:
Finally, some packages should have all updates considered as security
updates. This includes anything based on a web browser (Firefox,
Thunderbird, SeaMonkey, Chromium, webkit2gtk, etc), as well the Linux
kernel itself. Virtually every update of these packages fixes
security vulnerabilities, so updates to them should be considered
security updates and treated as such.
I've yet to see a Linux exploit developed for a web engine
vulnerability and deployed against users in the wild. Are you aware of
any instance of this happening, ever? Only a very tiny minority of web
engine vulnerabilities ever have exploits developed for any platform.
The usual workflow is: fuzzer finds HTML that triggers an asan
complaint, the end, you have a CVE. Now, that doesn't mean Linux
exploits don't exist (they surely do). And it doesn't mean the
vulnerabilities don't need to be fixed (they do). But let's be
reasonable here. Most users are not at risk because we take some time
to get the update out to users. Not unless a nation state is out to get
you....
Cross-platform logic errors are more worrying, but it's unusual that a
bug is so truly urgent that it needs to be fixed immediately. I know
this happens with Firefox occasionally, but when it does, I don't think
a next-day response is so bad.
We do need to get updates out in a timely manner, but I would say a
couple weeks is sufficiently timely for most security updates. At least
with WebKit, regressions are not uncommon and a few days of testing is
important to ensure quality user experience.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
