On Tue, Mar 25, 2014 at 9:43 AM, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > On Tue, Mar 25, 2014 at 09:29:12AM -0400, Josh Boyer wrote: >> > I like the idea of actually revisiting the list and deciding what to do, >> > although pulling them out of the repository seems unnecessarily drastic. >> This always winds up being the suggestion. Nobody actually does >> anything about it. I'd only be supportive of this on two conditions: > > Well, I was looking through the list.... there are some important packages > in here, including gcc, nss, samba, httpd, and a lot more. And tcp_wrappers. > :) Many of these really deserve the attention. I find that difficult to believe given that they haven't had said attention in 7 years and stuff is still working. >> 1) Actual bugs impacting actual people as a result of an improper spec >> file were present >> 2) One of the bodies responsible for packages in Fedora (FESCo, FPC, >> ?) agreed to conduct audits across all packages for guideline >> adherence at regular intervals. >> >> I'd be willing to not require item 1 if item 2 were actually done. It >> never has been, and if it had it would already suffice for the purpose >> the merge review tickets would serve today. > > I don't think that we need to do it across *all* packages. I'd like to see > it done initially for all packages that end up part of the base design. > That's a more manageable chunk and will focus the effort where it will have > the most benefit. Under the premise that some is better than none, OK. I have doubts that regularly scheduled _recurring_ audits will actually be done at all for any set of packages though. The argument is always lack of people doing it. The solution is automation. The argument against _that_ is lack of people doing it and complexity to do it properly in an automated fashion. Vicious cycles are vicious. josh -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
