On Wed, 22 Sep 2010 12:12:54 -0500
Bruno Wolff III <bruno(a)wolff.to> wrote:
On Wed, Sep 22, 2010 at 18:58:25 +0200,
drago01 <drago01(a)gmail.com> wrote:
>
> In case of a security issue a random note somewhere "don't do that"
> is not acceptable ... that's all I am saying here.
> You are leaving users at risk by assuming that they will read that
> notice (note: most wont).
I disagree. There are lots of degrees to security bugs. How they are
handled depends on the cost of fixing the issue and the impact of the
bug. These tradeoffs are made all of the time.
I agree with Bruno here.
Security updates are very important and should be given a pretty high
weight in general, but there are lots of further factors:
- Does the security issue not affect fedora in it's default
configuration?
- Is there a way to backport the fix to the current version instead of
taking a vastly changed upstream head package version?
- Can some minor/not very used part of the existing package be disabled
to prevent the security issue from being a problem?
Few things are black and white.
kevin