"xz" lessons learned: if/how to involve Fedora Magazine in CVE handling?

There was a lot of confusion between pre-beta, beta, beta release and final release in the recent days throughout Fedora channels. So I am not sure myself if we are all currently on the same page (and if mine is the correct one : ) But allow me to be a little simplistic (and assume that users are even more likely to end up in confusion than we are):

There are F40 betas out there since 26th March, and the malicious code was reverted later, whereas “pre-beta” indicates that only F40 of the time before any beta received malicious code.

What I read yesterday evening in the mailing list is that it seems the article shall be updated once again since the formulation of the way it currently is was based on the confusion between “beta release” and “final release”. So it ain’t correct, right?

A different formulation is found on the RH article:

… complemented immediately by

So if updated, it got the package, it is still likely to be not vulnerable given Richards actions, but it is still suggested to update to be safe. I tend to assume that this is what we want to tell our users, too?

I assume your argument meant that the malicious code in beta was broken and thus fixed by Richard’s actions?


Anyway, I think at this time it is more about if (or more importantly: how) the magazine is eligible in future for this type of time-critical communication, publishing, continuous exchange and update: so the “lessons learned” from the past days.