On Fri, 2012-10-26 at 19:33 +0000, "Jóhann B. Guðmundsson" wrote: > On 10/26/2012 07:14 PM, Adam Williamson wrote: > > I wanted to raise the question of whether it makes > > sense in general to hold our releases for some security bugs. Right now > > we have no capacity to do that. > > I dont think that should be for us to decide. When we encounter > potential security issue in the development release cycle we should just > forward those issue to the security team to determine if that's the case > and let's assume it is then *they* would contact fesco which in turn > decides if the release should be *delayed* or not until that security > issue has been addressed. > > Given that these issue are few and far in between I dont think it > warrants an specific criteria surrounding it but should rather be dealt > on a case by case bases. > > The security community exists for this exact purpose so let's just let > them handle that. They are expert in what they do... Well, Vincent seemed to think it would be good to handle this as a matter of policy via the blocker process and not case-by-case by FESCo. I don't think it's quite like the feature process case where we say 'feature issues go to FESCo not through the blocker process', because the feature process is a Thing that Exists and is owned by FESCo. We don't _have_ a security bug process at present, really. At least so far as blocking releases is concerned. Anything introduced at this point would be an invention, whether it goes via FESCo or the release validation process. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
