On Thu, Apr 17, 2014 at 3:02 PM, Chuck Anderson <cra@xxxxxxx> wrote: > On Thu, Apr 17, 2014 at 02:52:41PM +0200, drago01 wrote: >> On Thu, Apr 17, 2014 at 2:51 PM, Chuck Anderson <cra@xxxxxxx> wrote: >> > On Wed, Apr 16, 2014 at 11:23:15PM +0200, drago01 wrote: >> >> On Wed, Apr 16, 2014 at 9:11 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: >> >> > Greetings. >> >> > >> >> > We have new f19/f20 images with openssl updated, and they appear to be >> >> > default/live already. >> >> > >> >> > Were we waiting for some testing runs on them before announcing? >> >> > (Which we should have done before making them live, imho) >> >> > >> >> > Or did that already happen? >> >> > >> >> > Did we want to do a full test cycle on them? >> >> > Or just openssl related actions? >> >> >> >> Huh? >> >> >> >> Since when do we do something like this? Sounds like an over reaction to me. >> >> Installing (security) updates is the first thing you should do after >> >> installing anyway and besides who decided this and when? >> >> What are the criteria for doing updated images? >> > >> > Live images can't be updated... >> >> 1) They can >> 2) Live images are not supposed be used for production .. > > 1) Sure if you have a persistent live image on a USB I suppose. But > with CD/DVD media, you cannot update and then reboot as is necessary > to fix the issue. You can manually restart all processes/services > that were linked against the old openssl I suppose, but you would have > to go through this dance after every single boot to remove this > vulnerability. Which service do we install and run by default that uses OpenSSL and is configured to use SSL on the live media? -> Answer is none. > 2) Live images could be used to rescue/repair a production > environment, See above. > or could be used as a client to access a production > environment. For example one could be using "curl" which is linked > against the bad openssl. curl is a client. > We shouldn't leave our users exposed if they > decide to use a live image, especially since I don't think it is > documented anywhere that "these images are unsuitable for use in a > production environment". There are unsuitable by their very nature of being live images. -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
