On Mon, 20 Apr 2015 03:55:10 +0200, Jerry Bratton wrote: > >The update ticket has been set to need +3. > > > >It could have been lowered to +2 by the update submitter, but whether and > >when to do that depends on various factors. > > Where did the +2 threshold come from? https://fedoraproject.org/wiki/Updates_Policy#Updates_to_.27critical_path.27_packages > Are you saying the submitter did not request it? > +3 was requested. > You stated it's "not true" that users of Fedora 20 have been vulnerable for 16 days. You apparently justify this claim by stating that they could have used the package from updates testing. In other words, your opinion is that every user of Fedora should be expected to check updates testing every day and manually apply security updates from updates testing, overriding the Fedora defaults, in order to get critical security updates in a timely fashion (i.e. not having to wait 16 days and counting). You consider this to be the most reasonable solution to the problem? I'm at a loss. > That's not exactly what I'm suggesting. Not "every user of Fedora should be expected to check updates testing every day". __More__ users of Fedora should be aware of how updates-testing works, how to find and use the Fedora Updates System web site (bodhi), and leave their pure-consumer role. Start testing _before_ something enters the stable updates repo. Ensure that the features you need (or depend on more strictly perhaps) will still work after applying the latest bunch of "stable updates". It would make the community stronger. In this particular case a single +1 vote from another user would have been enough and would have triggered an automatic push to stable. Yes, in my opinion it is a really bad joke, for example, if somebody with interest in some software published by Fedora -- possible someone with a strong interest even -- opens a problem report in bugzilla and complains about an update after it had been in updates-testing for a month without any feedback. I know that many users expect "the distributor" to do all the work, but I don't think that is feasible for any of the popular distributitions. And I think Fedora has made it easy for users to become part of the community and find an area where they can contribute, even if just by making sure that some single package still works after an update. Back to the topic, I don't think hot-fixes are applicable in all cases, not even with dedicated man-power. Hot-fixes would also exclude the community and take away the chance to find bugs/regressions and block a faulty update prior to entering the stable updates repo. -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
