On 5/18/11 1:22 PM, Kevin Kofler wrote: > Adam Williamson wrote: >> # There must be no known remote code execution vulnerability which could >> be exploited during installation or during use of a live image shipped >> with the release > > This is just completely and utterly moot considering that there are going to > be many more unknown vulnerabilities than known ones, and that several of > those are inevitably going to come up during the 6-month lifetime of a > release.
The difference between a known and an unknown security bug is that, if _you_ know about it, it's virtually certain that someone malicious already does too. We can't avoid unknown risk exposure. You're arguing for ignoring known risk exposure entirely. Seems a touch irresponsible. Also: twelve month. - ajax -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
