On Sat, Mar 30, 2024 at 11:12:02PM +0100, Sandro wrote: > > From what I understood, F40 Beta, the official Beta release, available from > the website as of March 26, has updates-testing disabled by default. That Nope. > was confirmed by several people in #devel yesterday when the Fedora Magazine > article was still being worked on. I am pretty sure I said the opposite... nirik: Branched enables updates-testing... so if you installed f40 anytime, you will have it enabled and if you then applied updates it would be in them nirik: yes, we disable updates-testing by default right before release. I guess that could have been read as right before beta release, but thats not the case or what I meant. ;) It's before _Final_ release that we disable updates-testing. It's enabled by default from when we branch the release off until the time right before release when we switch it (usually with a freeze break/blocker bug) > It's the RC composes that are made after branching and before Beta is > declared GO, that have updates-testing enabled by default. I was one of the > persons raising that point. I'm less certain wrt upgrades in the period > between branching and Beta release. I think the confusion here is "Beta Release" vs "Final release". We enable updates-testing at branching time all the way until right before "Final release". :) > If that is incorrect and Beta shipped with updates-testing enabled, > deliberately or by accident, then I stand corrected. Yes, it did/does. :) The logic is that most people who install betas or pre-releases want to help test updates. If for some reason they don't, they can disable it, but the default option is on. > > It is obviously still an issue that is evolving and what seems clear now > > might prove different later. But so far I tend to leave the discussion > > topic as it is and ensure that F40 users expect being compromised and > > get informed to act correspondingly with the suggested actions. However, > > I already added a point how users can check if they have a malicious > > build. > > I agree. Once the levees broke, news was traveling fast and, for some, panic > may have set in, not helping in determining what information is accurate. > > Advise to err on the side of caution, check your system and upgrade if > unsure, is certainly what I would tell anyone. Even distros (Arch, Gentoo) > where it turned out the payload wasn't injected, acted out of an abundance > of caution, put out advisories and updates for their users. > > What's written on Discussion looks to be covering the broad spectrum. Maybe > the Fedora Magazine article could link to that post for further > clarification. Yeah, still lots to know about this... kevin
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
