On Sun, Jul 2 2023 at 06:27:48 PM -0400, Demi Marie Obenour
<demiobenour@xxxxxxxxx> wrote:
What about stuff that is too urgent to wait on Red Hat QA? There have
been vulnerabilities (such as CVE-2013-0156 and Log4Shell) for which
unauthenticated, fully automated, remote code execution exploits have
been found very, _very_ quickly. There may well be times when
attackers can write and use an exploit faster than Red Hat QA can
process an update. For these vulnerabilities waiting on Red Hat QA
is not an option.
Dire emergencies like these are extremely rare, but when they do occur,
everybody needs to work together to get updates out to all users ASAP.
That's true for every distro. Hypothetically speaking, if I were ever
unfortunate enough to be responsible for an emergency scenario like
that, I'd still want enough basic QA to at least ensure that the update
won't eat your disk, but such decisions would surely be handled on a
case-by-case basis.
In a more normal situation, updates take a few days to prepare. I
really don't think there's any problem with how CVEs are handled in
CentOS Stream *except* for the problem I mentioned earlier about
maintainers forgetting to push package updates to CentOS Stream by
mistake. We need a better process to ensure human error doesn't result
in CentOS Stream missing security or non-security updates. (This
impacts RHEL too, because future minor releases are built from CentOS
Stream, and we don't want fixes to disappear in future releases.)
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue