On Tue, Jul 31, 2018 at 09:09:58AM +0530, Huzaifa Sidhpurwala wrote: > Hi All, > > I was asked to bring this issue[1] to the developer community before > FESCO makes a decision. > > In several instances[2] there exists packages in Fedora, in which > package-maintainers did not patch security issues, for multiple reasons > including 1. non-responsive maintainer 2. issue hard to patch 3. no one > cares? > > This is a risk for the distribution, our users and community as a whole > and not to mentioned bad PR :) > > I would like to propose the following: > > > 1. If a CRITICAL or IMPORTANT security issue is open against a package > in Fedora-X and by the time X is EOL and the issue is not addressed, > proactively remove the package from X+1 > 2. If a MODERATE or LOW security issue is open against a package in > Fedora -X and by the time X+! is EOL, the issue is not addressed, remove > it from X+2 What do you mean by 'issue is not addressed' here ? Hopefully it is still valid to simply close the issues as WONTFIX or NOTABUG. IMHO for some low or even moderate severity issues it is often wiser to simply wait till next major Fedora release to pick up a rebased upstream release, rather than do a hairy backport which can risk creating as many problems as it solves. This would imply closing Fedora X as WONTFIX, while Fedora X+2 gets a fix still due to rebased version. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/3KJEWYZT2KSRCNTM2XHVZRS3XOMDIGCH/
