On Tue, Jun 16, 2020 at 08:49:57PM +0000, Jóhann B. Guðmundsson wrote:
> Unless the process and the approach of "If it builds let's ship it"
> has not been changed over the years then the end user might be getting
> a package that is not actually being maintained in the distribution
> thus already is a security risk ( without it being flagged retired )
> to begin with so arguably that problem needs to be solved first or at
> the same time as this.
Exactly!
Nearly every webapp packaged by Fedora is in this boat.
Dokuwiki was a particularly aggregious example; the packaged version was
completely *broken* between F25 and late-F28, incompatible with the PHP7
interpreter that Fedora shipped in those releases.
That incompatibility was a blessing of sorts, as it also meant that
between F25 and late-F28, the multiple CVEs present in that package
weren't exploitable.
(I actually reported this brokenness in F25. That ticket ended up being
auto-closed when F27 came out, without the package getting fixed...)
> I think people first need to establish what perception and thus meaning
> people put in the words retired,broken,maintained etc. before the proper
> course of action can be taken.
"retired" tells you nothing more than "no longer packaged".
"packaged" does not mean "maintained by fedora". It certianly doesn't
mean "kept up to date with upstream releases" or "kept updated with
security fixes"
And "broken" in this context means nothing more than "failed to
package/build", because "packaged" doesn't mean "it actually
works/runs".
- Solomon
--
Solomon Peachy pizza at shaftnet dot org (email&xmpp)
@pizza:shaftnet dot org (matrix)
High Springs, FL speachy (freenode)
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
