On Friday, 23 September 2016 07:56:15 UTC+10, dlme...@gmail.com  wrote:
> On Friday, 23 September 2016 04:11:33 UTC+10, se...@redhat.com  wrote:
> > On Thursday, September 22, 2016 at 3:57:01 AM UTC-4, dlme...@gmail.com 
> > wrote:
> > > On Monday, 15 August 2016 20:43:18 UTC+10, pixel fairy  wrote:
> > > > On Sunday, August 14, 2016 at 3:22:30 PM UTC-7, Alex wrote:
> > > > ...
> > > > > 1. Install the Chromium browser in your appvm template - skip if you 
> > > > > were already using it. Shut down the template VM.
> > > > 
> > > > I keep wondering how safe chromium browser is. do redhat or debian 
> > > > track updates in time with google-chrome?
> > > 
> > > 
> > > Chromium in the supported Fedora template for Qubes (FC23) contains High 
> > > severity security bugs:
> > > 
> > > FC23 = 52.0.2743.116-10.fc23.
> > > FC24 = 53.0.2785.113-1.fc24.
> > > 
> > > See: https://apps.fedoraproject.org/packages/chromium  (for builds)
> > > 
> > > Numerous security vulnerabilities, including High severity CVE's here:
> > > https://googlechromereleases.blogspot.com.au/2016/09/stable-channel-update-for-desktop_13.html
> > > 
> > > Newer RPMs available here, but haven't been tagged to either updates or 
> > > updates-testing for FC23:
> > > 
> > > http://koji.fedoraproject.org/koji/buildinfo?buildID=802754
> > 
> > 
> > So what you're saying is we should move to Fedora 24.
> 
> Sure.  However, FC23 is still listed as a supported release: 
> https://fedoraproject.org/wiki/Releases#Current_Supported_Releases.  Maybe 
> only "Critical" security fixes would make it to FC23 though, not "High" 
> (https://www.chromium.org/developers/severity-guidelines), but people likely 
> assume otherwise.  Note also that Chromium is not listed as a Critical Path 
> package, unlike Firefox.


Qubes 3.1 doesn't have an fc24 template. 
Qubes 3.2 won't be released with fc23 because it's too late in testing, but 
will (does currently for the RC) have an fc24 template available.

It looks like chromium-53.0.2785.116-1.fc23 should now be in 'updates-testing' 
repo (since 2016-09-21 17:43:43Z), but it hasn't propagated far.

Out of 6 mirrors in Australia, only one here even had the previous 
53.0.2785.113-1.fc23.x86_64, in 'updates-testing', which is now ~8 days old.

YMMV, but looks like Fedora needs to drop some consistently slow mirrors: 
https://admin.fedoraproject.org/mirrormanager/propgation

Also, if fc23 users want Chromium, it needs package testers. 
https://fedoraproject.org/wiki/QA:Updates_Testing.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/638ea945-7e38-4d96-9e20-9e6d68e0b35c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to