On Fri, 12 Mar 2010, Matthew Garrett wrote: >> RHEL has the resources to backport. Centos uses those backpotrs for >> free, but does not generate them (unless again the party supporting a >> component for Centos happens to be upstream in RHEL). > > Debian has historically managed this. I really don't buy the argument > that security or other critical fixes are generally difficult to > backport. I thought that this is was reason why there is a package maintainer exists in the first place, to maintain the package (not the content): - wraps software into rpm and pushes it to distro - monitors new releases and makes updates - *communicates* between fedora userspace and upstream So in case fedora's users suffer from a security bug, the maintainer collects the facts (what version, how many users are affected, important details from bug reports and debugging information, etc), talks to upstream and if the security bug is not backported, (s)he asks upstream to do so. They probably has the best skills to do so. I don't see how this wouldn't be everyone's interest, even from the upstream point of view. They most likely don't want such reputation that their software is dangerous to use. Unless the maintainer has issues with communication and social skills, this could very well be a problem and not that far fetched. I wonder, how many maintainers have even sent a short email to upstream and said: "hello, thank you for coding this cool software with opensource license. I'm packaging it now to Fedora, please send me announcements etc and please don't hesitate to contact me if you have something in mind, I'm your contact at this end". Frankly, if you ask me, I rather take all backporting done by someone who actually knows what he's doing. And same goes with packaging. What comes to KDE's "there won't be anymore bugfix releases after new feature release" - so what? How many real security issues has there been in history? Five? Ten? I bet those all would be backported by upstream if community size of Fedora would really need them. Everyone who cannot wait those couple months, can do checkout and compile themselves. Tuju -- You want to throw out the baby with the bathwater! - K. Kofler Your baby is my bathwater. I don't want the OS you're building. - J. Keating -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
