On 01-04-2024 19:12, Adam Williamson wrote:
On Mon, 2024-04-01 at 09:32 -0500, Michael Catanzaro wrote:
On Sun, Mar 31 2024 at 06:52:53 PM +00:00:00, Christopher Klooz
<py0xc3@xxxxxxxxxx> wrote:
"Fedora Linux 40 branched users (i.e. pre-Beta) likely received the
potentially vulnerable 5.6.0-2.fc40 build if the system updated
between March 2nd and March 6th. Fedora Linux 40 Beta users only
using stable repositories are NOT impacted. Fedora Linux 39 and 38
users are also NOT impacted."
-> only pre-beta, not beta, affected
-> F40 beta using stable NOT impacted (without challenging the
previously distributed assumption that testing is disabled by default)
That's still the same false information, isn't it?
It looks correct to me. The bug was fixed prior to the final release of
F40 beta,
This is not really correct, or at least at all relevant. The bug wasn't
in F40 Beta simply because the update never made it to 'stable'. Only
'stable' packages go into *composes*. However, saying that is not
really useful because anyone who *installed* Beta and then updated it
regularly may have got the vulnerable package. We should not say
anything to give people the impression that if they installed Beta,
they don't need to worry. That is not true or helpful.
so describing it as "pre-beta" makes sense. And people who
used only the stable repos were indeed not affected. The article later
clarifies that updates-testing is enabled by default (although it would
be nicer to do this higher up rather than lower down the page).
For the same reason I think it's dangerous and not useful to try and
draw this distinction between notional "people who only use stable
repos" and people who use testing. Who would actually install F40 but
then manually turn updates-testing off? Very few people. I don't think
we should talk about this because it just confuses the issue. It would
be like saying a stable release security issue that appeared in a
stable update didn't affect people who turned off the updates repo.
Technically true, but people don't do that, why would we say it?
This boils down to the initial confusion as to when `updates-testing` is
switched off. Both Justin and I thought it would be turned off again as
soon as Beta is officially released.
If you take that confusion into account, making that distinction makes
perfect sense. Unfortunately, it turned out to be the wrong assumption.
We should have a simple and clear message that covers the most common
and important case: if you installed Fedora 40 and updated regularly
during the vulnerable time frame, you very likely got the vulnerable
package and should take appropriate action. We should not confuse this
with unnecessary verbiage about stable and testing and pre-Beta and
post-Beta.
Agreed. I'm sure the text would have been different if the confusion
(see above) hadn't happened.
OTOH, I also expect users, even inexperienced users, to bring some
common sense. I oppose having to put "contents may be hot" on a coffee
cup ...
-- Sandro
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
