On 1 November 2016 at 13:32, Tom Boutell <tom@xxxxxxxxxxx> wrote: > I think that if a CVE arrives that we can't easily address through a patch, we have to be prepared to force an upgrade. Potentially "abandoning" a package that has CVEs in the wild, in the hope people will read about an optional upgrade, sounds like a policy we could regret. > > Is there any history of EPEL just abandoning a package? What should happen in that situation? Perhaps it's been necessary at some point (no support upstream, no one available downstream either...). There is an incredibly long history of EPEL abandoning packages for the above reasons all the time. It has been done pretty much from the get-go. The standard practice has been that when a package no longer is workable that it is withdrawn. Yes it sucks all around but in many cases this is the path that has been taken. > _______________________________________________ > epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx -- Stephen J Smoogen. _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
