Am 03.07.23 um 02:00 schrieb Michael Catanzaro:
On Sun, Jul 2 2023 at 06:27:48 PM -0400, Demi Marie Obenour
<demiobenour@xxxxxxxxx> wrote:
What about stuff that is too urgent to wait on Red Hat QA? There have
been vulnerabilities (such as CVE-2013-0156 and Log4Shell) for which
unauthenticated, fully automated, remote code execution exploits have
been found very, _very_ quickly. There may well be times when
attackers can write and use an exploit faster than Red Hat QA can
process an update. For these vulnerabilities waiting on Red Hat QA
is not an option.
Dire emergencies like these are extremely rare, but when they do occur,
everybody needs to work together to get updates out to all users ASAP.
That's true for every distro. Hypothetically speaking, if I were ever
unfortunate enough to be responsible for an emergency scenario like
that, I'd still want enough basic QA to at least ensure that the update
won't eat your disk, but such decisions would surely be handled on a
case-by-case basis.
In a more normal situation, updates take a few days to prepare. I really
don't think there's any problem with how CVEs are handled in CentOS
Stream *except* for the problem I mentioned earlier about maintainers
forgetting to push package updates to CentOS Stream by mistake. We need
a better process to ensure human error doesn't result in CentOS Stream
missing security or non-security updates. (This impacts RHEL too,
because future minor releases are built from CentOS Stream, and we don't
want fixes to disappear in future releases.)
There is also demand between major release, some "features" are missing
in EL9 for instance.
--
Leon
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue