On 06/21/2011 04:41 PM, Les Mikesell wrote:
I'm pointing out that running for any length of time without fixing known vulnerabilities is a very bad. Even if it is a local root escalation - if you also have an exploit in a network app (like the bazillion in php and its apps, struts, etc.) the two can be combined to take over the machine and it is mostly a matter of time until it happens (and yes, this is from experience...). And I thought last time around you said these packages would go through the normal qa process before even going into the option CR repo, so I'll repeat the question as to why you think something is going to be wrong with them. I can see wanting some reasonable number of machines to run them as a test, but still don't understand why anyone would want to continue to run with known problems instead of having them fixed.
I think you need to re-read the thread a bit, you are getting confused about what we are doing and what Wolfy said was happening in Fedora.
- KB