On Fri, 2012-10-26 at 19:33 +0000, "Jóhann B. Guðmundsson" wrote: > On 10/26/2012 07:14 PM, Adam Williamson wrote: > > I wanted to raise the question of whether it makes > > sense in general to hold our releases for some security bugs. Right now > > we have no capacity to do that. > > I dont think that should be for us to decide. When we encounter > potential security issue in the development release cycle we should just > forward those issue to the security team to determine if that's the case > and let's assume it is then *they* would contact fesco which in turn > decides if the release should be *delayed* or not until that security > issue has been addressed. > > Given that these issue are few and far in between I dont think it > warrants an specific criteria surrounding it but should rather be dealt > on a case by case bases. Oh, and in case this helps, I wasn't planning on adding a test case which says 'go test the entire distribution for security issues', or anything. The idea was just that this would be a criterion we would 'hold in reserve' to use when security issues were elevated to our attention. So really it just provides a mechanism for us to take a security issue that someone has raised that really seems to be a problem, and give it blocker status. I think with the feedback we've seen so far that we can say the original proposal was substantially too broad, so how about this as a revised proposal - for now, we just add a single Final release criterion which reads: "The release must contain no known security issues of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)" ? How does that sound to everyone? It drops the issue entirely for Alpha and Beta, and means we only consider bad issues that cannot be fixed with an update for Final. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
