http://www.fedora.us/LEGACY
Now that we have a few potential security update packages, we must
discuss the publish procedure.
We cannot just go ahead and build everything that people submit and
place it into the updates-testing repository. I suggest that we need at
least one preliminary check to make sure the package is a proper Legacy
update (not a wild version upgrade), proper patching, and not malicious.
I suggest that we have two levels of approval, the first being necessary
for "updates-testing". While in "updates-testing" we receive GPG
clearsigned feedback. Perhaps further package patching will be
necessary. Then after a certain threshold of positive feedback from we
approve for "updates". But it matters who the feedback is from...
http://www.fedora.us/wiki/PackageSubmissionQAPolicy
We need to discuss how to change this procedure for Legacy specific
packages.
We also need to change the definition of "trusted" for Legacy specific
packages, along with the requirements for reaching the "trusted" status.
Thoughts?
Warren
