On 01/17/2012 05:26 PM, Michael Schwendt wrote:
On Tue, 17 Jan 2012 09:54:39 -0500, SG (Stephen) wrote:
On Tue, 2012-01-17 at 02:21 +0100, Kevin Kofler wrote:
While that makes some sense, it was not my point. My point was that even if
the package has NO maintainer, as long as it works, it's still better than
no package at all!
Not true. A package that appears to work, has people using it, but has
no one maintaining it is likely to become a package that has exploitable
security issues.
Kind of a poor example, albeit a valid one, too. Any bug might have
an impact.
The general question of "Who handles bug reports (including security
related ones)?" is still unanswered. It doesn't even need to be a real
security vulnerability. Any bug report that isn't handled can lead to
shipping software that doesn't work or doesn't work well enough. Worse if
bug reports pile up with nobody responding to them. Fedora users are
annoyed, if bugzilla appears to be no better than /dev/null.
Well, you leave me no other choice but to pronounce something you
probably don't want to hear:
It's not uncommon to Fedora users to confronted with /dev/null style
answers. It's just that they are called "FIXED RAWHIDE", "FIXED
UPSTREAM" or "no reply" and not explicitly labeled "/dev/null" ;)
Perhaps there would not be just a team that rebuilds hundreds to thousands
of "unmaintained" and possibly unused packages as needed, in Kevin's
scenario there might be a Security SIG that would handle [properly
tracked] security issues.
I don't question such security issues/risks exist, but would question
these are for real.
IMO, the risks of being affected by security issues in new packages
which had not seen wider use (or even security audits) is much larger
than those in packages, which often had been in the wild for many years.
Ralf
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
