1) People will work on what they're motivated to, regardless of how this fits redhat's, the Fedora Project's, or anyone else's, plans and aims, and whether this is the best overall use of resources or not.
2) There are still plenty of rh7.x/rh8 installations in the wild. It does the reputation of the RH/FC line (and linux as a whole) no good if these are rooted. The legacy project, and its aim of providing security updates to the original packages, only exists to support people in keeping their systems safe. By mitigating the consequences of many possible vulnerabilities, this package, potentially, contributes more to keeping legacy installations secure than a whole bunch of updated rpms. So, is it surprising that those responsible for legacy systems, who use and contribute to fedora-legacy, also care about other protective measures such as this?
3) Personally, I think this is great idea, and that Warren's proposal for a well described manual installation is spot on.
What he said. ;)
One thing to note: Warren, you mention that you would like to keep libsafe as a manual upgrade. I would prefer to see it in it's own channel in case we do need to upgrade it.
Is the RPM mentioned in the libsafe bug report the one to check out?
-Dave