Okay, it seems that everyone is opposed to the removal or crippling of
mpg321. We should go ahead with our first security update announcement.
In order to do so, we should have a security announcement template
with all necessary fields that you normally find in announcements.
Please suggest a formatted template that contains all the usual things
you find in security announcements for packages. Don't forget md5sums,
GPG keyid, URLs. We should create a legacy advisory numbering system,
and standardized Subject line. Message subjects would then be something
like "Fedora Legacy Advisory FL000425: libfoo format string vulnerability".
Once you write the advisory template, fill in that template with sample
information for the libfoo update so we can be sure our advisory format
works.
After we agree upon that template, then the draft for the mpg321
no-package Legacy security advisory must be written advising users about
the license issue preventing update, and suggestion to remove mpg321.
Then lastly someone must emerge as a leader for this project, and
perhaps create a "Fedora Legacy Advisory" GPG key for signing these
announcements before they go to the various mailing lists.
Jesse do you know if we got those other mailing lists?
I am leaving this to the group to discuss and ratify the template
format, and decide who will be the announcement signer(s). My school
semester begins next week Monday, so you must become self-sufficient,
intiate and work on these things yourself. I hope my kick-start of the
project is sufficient enough to give the group structure enough to pick
it up from here.
Warren
