On 2 November 2016 at 10:24, Tom Boutell <tom@xxxxxxxxxxx> wrote: > I see. Since MongoDB is under a GNU license, I assume you do not literally > mean you have zero access to the changes being made to it in SCL. Just because something is under a GNU license does not mean that anyone has access to the file. The GNU license only covers the rights of a person who got the executable from the 'vendor' that they have access to the source code. > My assumption is that you actually mean there's no advanced or privileged > access. So if some bad juju goes down, and we want to look to SCL For help, > Marek or whoever is maintaining 2.6 for EPEL at the time would have to wait > for those packages to appear in SCL before the process of porting them to > EPEL can even begin, time during which 2.6 is still vulnerable. Yes? What I am saying is that EPEL is made up of volunteers. If you are volunteering to do this work then great. If you are expecting that someone else is going to do this work for you.. then not so great. > > As for other solutions to security issues, is there any history of these packages resolving security issues with mongodb with external OS-level features rather than via patches to the code? It seems unlikely, in that a hack like firewalling it would be too unsubtle by half and break functionality outright. > _______________________________________________ > epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx -- Stephen J Smoogen. _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
