> >>> I don't know how the assumption came up that F40 is only affected if > >>> users opted in for testing, but that interpretation already ended up > >>> in the Fedora Magazine and in the official linkedin post of Fedora (I > >>> already asked to correct it). > >> > >> I believe that statement is correct, since none of the xz-5.6.x > >> packages ever made it to F40 stable. The furthest they've got was > >> updates-testing, which is not enabled in the official Beta releases.
The updates-testing repo isn't used in the Beta compose but it is enabled by default so if someone took the beta and then applied updates they would have automatically got the compromised package, there's nuance there. > >> However, if you installed F40 before Beta was released, then > >> updates-testing is enabled and users may have installed the vulnerable > >> package with a simple `sudo dnf upgrade`. The same would be the case if they installed Beta. -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
