On Sat, Apr 18, 2015 at 12:35 PM, Jerry Bratton
<JerryLBratton(a)mail.com> wrote:
> I'm concerned about how long it takes security updates to make it to users
> under Fedora's current policies (which generally allow such updates the
> possibility of sitting in testing for 14 days, or even longer).
>
> Just one example is the Firefox 37.0.1 update for Fedora 20:
>
https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1...
>
> The currently available version of Firefox in Fedora 20 has a critical
> vulnerability which allows a man-in-the-middle attacker to impersonate any
> HTTPS website. In this context, shouldn't security concerns win out over the
> worry that there might be some regression? We already know there's a serious
> problem in the current package, so why do we have to wait 14 days just
> because there might be some problem in the new package?
>
> Shouldn't this policy be revised?
I thought a packager already has the ability to push something to
stable without any delay? It's just not the default. Is that
incorrect?
I think in the case of an upstream like FireFox where we can pretty
much be assured that they've escalated a critical security update
before any other pending updates, that it's completely reasonable for
the packager to take advantage of any policy that lets them bypass
updates-testing
and a interesting question is why 37.0.2 available on koji is not at
bodhi at all so nobody can give karma (if easy-karma works randomly as
yesterday while not most of the time for week snow)
the permanent timeouts of fedora-easy-karma are a real problem because i
guess i am not the only one running updates-testing all the time don't
open bodhi and seek for each installed testing updat eto give karma
Apr 17 01:43:44 Updated: firefox-37.0.2-1.fc21.x86_64