On Fri, Oct 02, 2015 at 02:19:19PM +0200, Ralf Corsepius wrote: >> only for projects where upstream is fully active and cares about the >> security vulnerabilities in the bundled copies of software well. > Correct. That's one of the criteria, FPC is trying to consider when > granting bundling exceptions. Openly said, these are the easy cases, > we often grant bundling exceptions. > > The problematic ones are those cases, when it's obvious upstream > lacks experience and/or technical skills to understand "unbundling" > /"bundling" and resources to take care about "upstreams of their > bundled sources. These often are smaller projects - in many cases - > one-man shows. Ralf, right now the documented list of reasons FPC might allow exceptions don't give this impression. The closest I see is "Active upstream Security Team", but that has a number of qualifications linked by capital-letters and bold, like "the upstream project is actively working on unbundling" and also notes "this rationale may not be sufficient in and of itself" and that this exception is likely to be temporary. Would you be open to a much broader guideline for exceptions, where the expected, default answer would be "yes" when the upstream demonstrates concern for security whether by unbundling or by generating their own updates in a responsive fashion? (To be clear, I personally am in favor of also allowing more relaxed bundling for smaller projects which are on the fringes of the system integration you discuss. In other words, vastly expanding the "too small to care" exception.) -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
