Dear All, I was made aware that EOL software with known security bugs that will not be fixed upstream (due to EOL status) was reviewed and accepted into Fedora recently. This came on the back of the FPC ticket [1] asking to make some changes in the Python Packaging Guidelines. I did go back and re-read our current guidelines and found that we don't have any policy on that. As a result, I opened a FESCo ticket [2] with the aim of establishing a clear policy on how to treat EOL software with known security vulnerabilities. My proposal is: 1. Prevent EOL software with known security vulnerabilities from entering Fedora in the first place, i.e. make it a review bullet point (if the package is EOL it MUST NOT have any known security vulnerabilties). If existing packages are found to be EOL and have known security vulnerabilities, the vulnerability must either be patched by the maintainer (or otherwise handled, e.g. by switching to an actively maintained fork) or the package must be removed from Fedora. 2. A ticket may be opened to FESCo applying for an exception to the above. FESCo should most likely seek the advice of the Fedora Security Team in such cases. Please read comments in both referenced tickets to avoid repeating arguments which were given already. References: [1] https://fedorahosted.org/fpc/ticket/650 [2] https://fedorahosted.org/fesco/ticket/1634 Regards, Dominik -- Fedora http://fedoraproject.org/wiki/User:Rathann RPMFusion http://rpmfusion.org "Faith manages." -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations" _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
