On Wed, 22 Sep 2010 12:12:54 -0500 Bruno Wolff III <bruno@xxxxxxxx> wrote: > On Wed, Sep 22, 2010 at 18:58:25 +0200, > drago01 <drago01@xxxxxxxxx> wrote: > > > > In case of a security issue a random note somewhere "don't do that" > > is not acceptable ... that's all I am saying here. > > You are leaving users at risk by assuming that they will read that > > notice (note: most wont). > > I disagree. There are lots of degrees to security bugs. How they are > handled depends on the cost of fixing the issue and the impact of the > bug. These tradeoffs are made all of the time. I agree with Bruno here. Security updates are very important and should be given a pretty high weight in general, but there are lots of further factors: - Does the security issue not affect fedora in it's default configuration? - Is there a way to backport the fix to the current version instead of taking a vastly changed upstream head package version? - Can some minor/not very used part of the existing package be disabled to prevent the security issue from being a problem? Few things are black and white. kevin
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
