2015-04-19 19:25 GMT+02:00 Michael Schwendt <mschwendt@xxxxxxxxx>: > On Sun, 19 Apr 2015 00:07:48 +0200, Jerry Bratton wrote: > >> Then the policy that I suggest revising is the one which precludes automatically pushing at the +2 threshold. >> > > There is no "one size fits all" with regard to security updates. > > Even if it were not a version upgrade, but only a small patch on top of a > previously released version of the software, it's a new build that can > break in lots of funny and not so funny ways. Sometimes software builds > break because dependencies, tool-chains, frameworks have changed since the > last released build. Hmm, Security has precedence over even backward compatibility. The maintainers should be ultimately responsible to ensure that the package they maintain is in a coherent state and in theory just backporting the security patches. I know that is is often easier said than done, but the general rule is security first. >> Even requiring the lower threshold might arguably be too much. In any case, under the current system, users of Fedora 20 have been vulnerable already for 15 days. >> > > Which, IMHO, is not true, because this update is available in the > updates-testing repository. What is wrong with fetching it from there? > Especially since you think it's good enough to be unleashed. General users can't really be asked to enable by default a testing repository, and you really need to know if an update is a security update, rather than a general update. > Users of Fedora really need to understand that they are consumers of > test updates in more cases than they may be aware of. All those Test Updates, > which are pushed into the stable updates repo manually (i.e. with 0 karma > and no explicit feedback from any testers, not even the packager) may have > seen no testing at all. This is a problem that needs to be addressed, and I don't think it can be addressed by pushing over the users the burden. I agree Fedora is a community effort, but it's the wrong take to require that anybody that uses Fedora *must* contribute to it, or the penalty is to receive wrong updates or an vulnerable system. Cheers, Mario -- pgp key: http://subkeys.pgp.net/ PGP Key ID: 80F240CF Fingerprint: BA39 9666 94EC 8B73 27FA FC7C 4086 63E3 80F2 40CF Java Champion - Blog: http://neugens.wordpress.com - Twitter: @neugens Proud GNU Classpath developer: http://www.classpath.org/ OpenJDK: http://openjdk.java.net/projects/caciocavallo/ Please, support open standards: http://endsoftpatents.org/ -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
