On Sun, 10 Apr 2011 15:41:25 +0900 TASAKA Mamoru <mtasaka@xxxxxxxxxxxxxxxxx> wrote: > Tomasz Torcz wrote, at 04/09/2011 07:57 PM +9:00: > > On Sat, Apr 09, 2011 at 05:32:04AM +0200, Kevin Kofler wrote: > >> Will Woods wrote: > >>> In fact, there's plenty of approvers available, but you're not > >>> engaging with them. They might not know how to test libtiff, or > >>> what needs testing, so other stuff gets tested first. > >> > >> The fact is, this is a SECURITY UPDATE and as such it should go > >> out even without testing. It's not acceptable to sit on security > >> updates for weeks. > > > > No, security updates are not _that_ special. For example, > > there's an avahi update in pipeline. It has broken dependencies. > > Pushing this would broke some systems. I'm talking about: > > https://admin.fedoraproject.org/updates/avahi-0.6.27-6.fc14 > > > > So as a result we are just leaving this security issue unresolved > more than one month? Okay, it is all very well that we try to explain > why the new updates request is not yet pushed, however then people > would ask, "so why can't Fedora try to fix such issue like broken > dependency ASAP? Short of man power? Is Fedora just making light > of security issues?" > > Who is responsible for this issue? I would say (in order): - The person who submitted the update. - Any co-maintainers the package has that could fix it and push a new update. - Any provenpackagers who are interested in the package and can go fix it and push a fixed update. - FESCo or rel-eng if no one else steps up and someone notifies those bodies of the problem, so someone there can fix it. kevin
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
