> # There must be no known remote code execution vulnerability which could > be exploited during installation or during use of a live image shipped > with the release > > Points to consider: > > * Possible variants to the type of vulnerability covered...do we also > want to make local privesc vulns blocking? Conversely, do we want to > make only remote *root* execution vulns blocking? I don't know if anyone > would want to go as far as making DoS vulns release blocking, but speak > up if you would! (Of course there is again the local/remote distinction > to consider there: 'all DoS vulns' would be a much tighter standard than > 'remote DoS vulns').
I say, local privilege escalations with publicly available exploits, and remotely triggerable vulnerabilities. If such an issue is known before Final, we should attempt to address it before releasing. Eugene -- security mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/security
