On Fri, Apr 17, 2020 at 5:13 PM Michel Alexandre Salim <michel@xxxxxxxxxxxxxxx> wrote: > > On 4/16/20 11:42 PM, Jan Kratochvil wrote: > > On Fri, 17 Apr 2020 06:55:10 +0200, Michel Alexandre Salim wrote: > >> For kernel updates this is probably not a good idea. Given that updates > >> potentially introduce regressions, being able to distinguish updates with > >> known CVEs that we do need to roll out immediately, versus other updates we > >> can do more compatibility testing on, is critical. > > > > Even when there is a kernel regression a -1 vote gets immediately overvoted by > > the +1s of majority so the update gets pushed anyway. So I do not see what is > > the purpose of the voting at all. As an example: > > https://bodhi.fedoraproject.org/updates/FEDORA-2020-3cd64d683c#comment-1258825 > > = kernel-5.5.6-201.fc31 > > > Sure, but OP's proposal is to consider any kernel update as a security > update. Right now we auto-apply security updates to our fleet but let > users apply non-security updates at their own leisure. > As a kernel maintainer, I can assure you, I don't want them automatically considered security updates either. We know which ones are security, and they are marked as such. The ones which are not marked and do contain CVE fixes, it is because the CVE is not public yet, or the CVE was filed long after we pushed to stable and the fixed version was annotated retroactively. Justin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
