On Fri, 12 Nov 2010 11:19:22 -0800 Adam Williamson <awill...@redhat.com> wrote:
> On Fri, 2010-11-12 at 20:03 +0100, Till Maas wrote: > > On Mon, Nov 01, 2010 at 10:09:17AM -0700, Adam Williamson wrote: > > > > > I disagree. The evidence you cite does not support this > > > conclusion. We implemented the policies for three releases. There > > > are significant problems with one release. This does not justify > > > the conclusion that the policies should be entirely repealed. > > > > It was brought to my attention that also current Fedora releases > > have problems with delaying important security updates. A fix for a > > remote code execution vulnerability in proftpd was only pushed to > > stable with a seven day delay: > > https://admin.fedoraproject.org/updates/proftpd-1.3.3c-1.fc13 > > https://admin.fedoraproject.org/updates/proftpd-1.3.3c-1.fc14 > > > > And it is not a theoretical threat, I know that servers in the > > nearby area have been exploited because of this vulnerability. > > Delaying such updates seems to be a very bad idea. Even in the > > unlikely case that the update was broken and made proftpd not start > > anymore, this is usually not as bad as having the system corrupted > > by an evil attacker. > > Thanks for flagging this up. > > I'm wondering if perhaps we should devise a system - maybe a sub-group > of proventesters - to ensure timely testing of security updates. wdyt? Adam why should security updates wait at all ? Do you fear some packager will flag as security updates that are not ? Surely we can deal with such maintainer if that happens... Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
