The Fedora team usually targets an early release and a delayed date for their schedule.
This time around, Fedora 37 is getting pushed back with an unexpected delay. From a release target date of 18th October to 25th October, and then 1st November.
Now, we have to wait until 15 November 2022 to download Fedora 37 available.
But why the delay? Isn't the testing complete for Fedora 37? What is the hold-up?
Until the release, Fedora's team is unaware of the details regarding the security fix. It could be significant, so Red Hat recommends waiting for it before releasing Fedora 37.
Here's what Fedora's Program Manager mentions in a blog post:
When a security issue is discovered, this information is often shared with the project confidentially. This allows the developers to fix the issue before more people know about it and can exploit it. Projects then share information with downstreams so they can be ready.
Ironically, Fedora’s openness means we can’t start preparing ahead of time. All of our build pipelines and artifacts are open. If we were to start building updates, this would disclose the vulnerability before the embargo lifts. As a result, we only know that OpenSSL considers this the highest level of severity and Red Hat’s Product Security team strongly recommended we wait for a fix before releasing Fedora Linux 37.
Time Needed to Test the Release Candidate With OpenSSL's New Version
The developers need enough time to test Fedora 37's release candidate after they update the necessary package.
While they could rush it, they intend to push a release only after they are confident about it:
The OpenSSL project team plans to publish the security fix about 48 hours before we’d make the go/no-go decision for an 8 November target. Factoring in time to build the updated openssl package and generate a release candidate, that gives us about a day and a half to do testing. That’s not enough time to be comfortable with a change to such an important package.
Considering it is an important update, it is an excellent decision to test it and prepare it for release.
Of course, the delay could be for nothing if the security fix is not a massive one.
However, I believe it is better to have a release that provides a secure experience out of the box instead of having a vulnerable package.
What do you think about Fedora 37 release being delayed? Share your thoughts in the comments down below.