On Thu, Apr 17, 2014 at 02:52:41PM +0200, drago01 wrote: > On Thu, Apr 17, 2014 at 2:51 PM, Chuck Anderson <cra@xxxxxxx> wrote: > > On Wed, Apr 16, 2014 at 11:23:15PM +0200, drago01 wrote: > >> On Wed, Apr 16, 2014 at 9:11 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > >> > Greetings. > >> > > >> > We have new f19/f20 images with openssl updated, and they appear to be > >> > default/live already. > >> > > >> > Were we waiting for some testing runs on them before announcing? > >> > (Which we should have done before making them live, imho) > >> > > >> > Or did that already happen? > >> > > >> > Did we want to do a full test cycle on them? > >> > Or just openssl related actions? > >> > >> Huh? > >> > >> Since when do we do something like this? Sounds like an over reaction to me. > >> Installing (security) updates is the first thing you should do after > >> installing anyway and besides who decided this and when? > >> What are the criteria for doing updated images? > > > > Live images can't be updated... > > 1) They can > 2) Live images are not supposed be used for production .. 1) Sure if you have a persistent live image on a USB I suppose. But with CD/DVD media, you cannot update and then reboot as is necessary to fix the issue. You can manually restart all processes/services that were linked against the old openssl I suppose, but you would have to go through this dance after every single boot to remove this vulnerability. 2) Live images could be used to rescue/repair a production environment, or could be used as a client to access a production environment. For example one could be using "curl" which is linked against the bad openssl. We shouldn't leave our users exposed if they decide to use a live image, especially since I don't think it is documented anywhere that "these images are unsuitable for use in a production environment". Additionally, I believe we should somehow clearly mark all the new images so that we can easily tell if they are the updated ones or not. Maybe call them Fedora releases 19.1 and 20.1. -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test