On Thu, Oct 2, 2014 at 1:28 PM, Pat Riehecky <riehecky at fnal.gov> wrote: > On 10/02/2014 12:31 PM, Karanbir Singh wrote: >> >> On 10/02/2014 06:00 PM, Pat Riehecky wrote: >>> >>> We were fully aware of which versions of openssl contained CVE-2014-0160 >>> and which SL versions contained the vulnerability. >> >> excellent, but you completely missed the point where all of SL installs >> were potentially at risk, with no way to factor back or check any state >> since there is no CVE validation being done. >> >> or are you doing cve validations and testing expoits actively now ? >> >> > > The CentOS Devel list seems to be the incorrect place to debate SL update > policies. > If you look at in the context of improving the systems and which serves the users needs best, then the more information the better. Do you have some examples of things that have broken on full minor-rev updates? -- Les Mikesell lesmikesell at gmail.com