On Thu, 2010-04-29 at 10:58 -0700, Christopher Aillon wrote: > I really think that as a project, we'd be doing a lot better if we > mandated upstream review before applying patches to any package if you > aren't an upstream maintainer of the code. As it is now, it's somewhat > scary to think how many packagers would take a bugfix patch and apply it > without being able to figure out if there's a potential hidden exploit > in it... Review, perhaps, but not approval. Fedora and upstream are independent organizations each pursing their own goals. Trademarks aside, Fedora shouldn't be bound by upstream decisions any more than upstream is bound by our packaging guidelines or obliged to accept patches to comply with them. For comparison, disapproval from upstream libpng sure didn't stop Mozilla from patching libpng with APNG support. And the relevant qualification for a reviewer is knowledge of the code, not affiliation with upstream. -- Matt -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel