Problems with bodhi and security updates
Andrew Farris
lordmorgul at gmail.com
Sun Jan 27 11:46:57 UTC 2008
Kevin Kofler wrote:
> One thing you could try:
> * change the type to Bugfix,
> * request push to stable,
> * change it back to Security.
> Unless they fixed that, it'll bypass the security team approval process. ;-)
>
> I accidentally discovered that because when I pushed the qimageblitz execstack
> fix, I requested a push to stable as a regular update, then realized it has
> security implications so I set the security flag, the result is that they're
> now sitting in stable and have "Security team approval: False".
Thats a rather ironic breakdown in the process I would think; a security fix
should get out as rapidly as possible, but it should be verified to actually fix
the security flaw as well... holding up the release of the fix to try it while
other seemingly innocuous updates go out is just steeped in 'brokenness'.
A change in process to have the security team verifying that fixes actually
close the bugs they are supposed to close after the update is released sounds
(to a guy outside the security review process) like a better idea.
1. package that fixes security flaw is built
2. push fix to testing (does it install? does it break other stuff?)
3. push fix to stable
4. security team checks that the security hole is really fixed, mark it so
5. otherwise tell maintainer to go back and do it again
Its only increase in bandwidth for people who get the update (that might get
replaced soon, and maybe doesn't fix the flaw). I'd rather have a maybe fix
than a definitely not fixed yet, as long as some basic testing is still done.
--
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
More information about the fedora-devel-list
mailing list