Huzaifa Sidhpurwala wrote: > Hi All, > > I was asked to bring this issue[1] to the developer community before > FESCO makes a decision. > > In several instances[2] there exists packages in Fedora, in which > package-maintainers did not patch security issues, for multiple reasons > including 1. non-responsive maintainer 2. issue hard to patch 3. no one > cares? > > This is a risk for the distribution, our users and community as a whole > and not to mentioned bad PR :) > > I would like to propose the following: > > > 1. If a CRITICAL or IMPORTANT security issue is open against a package > in Fedora-X and by the time X is EOL and the issue is not addressed, > proactively remove the package from X+1 > 2. If a MODERATE or LOW security issue is open against a package in > Fedora -X and by the time X+! is EOL, the issue is not addressed, remove > it from X+2 I don't think this is practical, we'll lose half the distro (are at least large chunks). Initially, such a proposal may be possible if generally limited to leaf packages. -- Rex _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/2PXSOOOPRNXIBHFUC2RHJFMVGDC6INZI/
