{"id":129260,"date":"2022-10-27T19:43:08","date_gmt":"2022-10-27T19:43:08","guid":{"rendered":"https:\/\/fedoramagazine.org\/?p=37327"},"modified":"2022-10-27T19:43:08","modified_gmt":"2022-10-27T19:43:08","slug":"fedora-linux-37-update","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2022\/10\/27\/fedora-linux-37-update\/","title":{"rendered":"Fedora Linux 37 update"},"content":{"rendered":"

Fedora Linux 37 is going to be late; very late. Here\u2019s why. As you may have heard, the OpenSSL project announced a version<\/a> due to be released on Tuesday. It will include a fix for a critical-severity bug. We won\u2019t know the specifics of the issue until Tuesday\u2019s release, but it could be significant. As a result, we decided to delay the release of Fedora Linux 37. We are now targeting a release day of 15 November<\/a>.<\/p>\n

Imperfect information<\/h2>\n

Most decisions happen with imperfect information. This one is particularly imperfect. If you\u2019re not familiar with the embargo process, you might not understand why. When a security issue is discovered, this information is often shared with the project confidentially. This allows the developers to fix the issue before more people know about it and can exploit it. Projects then share information with downstreams so they can be ready.<\/p>\n

Ironically, Fedora\u2019s openness means we can\u2019t start preparing ahead of time. All of our build pipelines and artifacts are open. If we were to start building updates, this would disclose the vulnerability before the embargo lifts. As a result, we only know that OpenSSL considers this the highest level of severity and Red Hat\u2019s Product Security team strongly recommended we wait for a fix before releasing Fedora Linux 37.<\/p>\n

Balancing time and quality<\/h2>\n

As the Fedora Program Manager, our release schedule is my responsibility. I take pride in the on-time release streak I inherited from my predecessor. We kept it going through Fedora Linux 34 in April 2021. In that time, we made big technical changes (like switching to Btrfs as the default for most variants) and kept each other going through a pandemic. I\u2019m proud of what the community was able to accomplish under difficult circumstances.<\/p>\n

But being on time isn\u2019t the only factor. We know that you rely on Fedora Linux for work and for play, so quality is always a consideration. Knowing that we were going to delay for the OpenSSL vulnerability, the question became \u201chow long\u201d?<\/p>\n

We make the \u201cgo\/no-go\u201d decision on Thursdays for a release the following Tuesday. This gives time for the images to update to the mirrors. The OpenSSL project team plans to publish the security fix about 48 hours before we\u2019d make the go\/no-go decision for an 8 November target. Factoring in time to build the updated openssl package and generate a release candidate, that gives us about a day and a half to do testing. That\u2019s not enough time to be comfortable with a change to such an important package.<\/p>\n

As a result, we\u2019re giving ourselves an extra week so that we can be confident that Fedora Linux 37 has the same level of quality you\u2019ve come to expect.<\/p>\n

Was it the right decision?<\/h2>\n

Time will tell if we made the right decision or not. Today\u2019s Go\/No-Go meeting was lively and not everyone agrees that we should delay the release because of this. Like I said, we have little information to go on. It\u2019s important to note that the decision was made as a team, and not the dictate of a single person. Fedora values collaborative decision making, and this is a good example.<\/p>\n

When the details are released Tuesday, it may turn out we go \u201cwow, that was not worth delaying the release.\u201d But I think we made the best decision we could with the information we have available.<\/p>\n

In the meantime, please join us November 4\u20135 for the Fedora Linux 37 Release Party<\/a>. It will be a lot of fun, even if the release isn\u2019t quite out yet.<\/p>\n","protected":false},"excerpt":{"rendered":"

Fedora Linux 37 is going to be late; very late. Here\u2019s why. As you may have heard, the OpenSSL project announced a version due to be released on Tuesday. It will include a fix for a critical-severity bug. We won\u2019t know the specifics of the issue until Tuesday\u2019s release, but it could be significant. As […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[45,46,75,47,628],"class_list":["post-129260","post","type-post","status-publish","format-standard","hentry","category-fedora-os","tag-fedora","tag-magazine","tag-new-in-fedora","tag-news","tag-releases"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/129260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=129260"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/129260\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=129260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=129260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=129260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}