Re: Fedora 31 Beta Release Announcement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2019-09-18 at 23:24 +0200, Kevin Kofler wrote:
> And if an otherwise maintained package FTBFS, if it does not actually
> need 
> any change, I don't see how this is even an issue at all.

FTBFS packages can get CVEs filed against them and then they can be
difficult to fix. There are a few problems:

* The FTBFS package often has no maintainer to notice the CVE in the
  first place, which means it is likely to just be vulnerable without
  any other packagers noticing.
* If someone does notice the CVE and wants to fix it, they have to
  first figure out why the package doesn't build. This is at a minimum
  extra work for the maintainer, and in some cases it could be that it
  is impossible to fix the FTBFS (for example, if the package requires
  an older dependency than is in the distribution that was removed or
  upgraded years ago).
* If it is impossible to fix the FTBFS and there is a CVE, we also
  cannot remove the vulnerable package from stable releases.

The current policy does curtail that last problem (but does not
eliminate it entirely) by removing some FTBFS packages before they have
CVEs. Of course, we do have unmaintained software in the distribution
despite this policy, but the policy does lead to *fewer* unmaintained
packages, which means fewer packages with the above problems.

The FTBFS policy essentially is an "are you there?" to the maintainer.
It is a disservice to our users to provide them with unmaintained
packages, and this is one tool we have to find out if packagers are
still around.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux