On Thu, Jan 30, 2020 at 02:28:30PM +0100, Kevin Kofler wrote: > Daniel P. Berrangé wrote: > > Ignoring low bugs also probably isn't a viable stragegy > > for EPEL, because that's a long life distro stream, and > > so won't automatically get low CVE fixes via a rebase > > in 6 months like we do in Fedora. So the CVE mountain > > is even bigger for EPEL, and also more serious due to its > > long lifecycle. > > Given that RHEL completely ignores low-impact security issues, I do not see > why EPEL should be held to a higher standard than RHEL itself. I didn't say RHEL completely ignores them. They are not fixed asynchronously but we do fix them in the next regular minor release. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://fedoraproject.org/wiki/MinGW _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
