Fedora security response time

One of the problems not covered is that the Fedora mirroring system is a pull system where the downstream mirrors are in control of when they pull and what they pull. There are 4 tier-0 mirrors which we seed 12 tier-1 mirrors at various universities and public orgs like kernel.org. Those 12 feed all the level 2 mirrors. There is no CDN because those cost money in both pushing data into them and pulling data out of them. We have had a couple of offers for CDN data but use it for only limited uses as we found it took more than 24 hours to sync up the amount of data we normally change in a day to the CDN.

Finally Fedora does not push updates to clients. A client may check for updates regularly if they are running the standard desktop, or they may only do so when they can afford the cost on a metered line.

There are ways around this, but they all come with costs in time, release engineering changes, and tooling in client, server and user expectations. Those all need someone to drive the changes over the long term it will take to implement.