On Thu, Mar 13, 2008 at 10:24:31AM -0700, Robert Relyea wrote: > This may be OK for some types of packages, but crypto has challeges of it's > own. There are constantly new attacks published against existing crypto > implementations. These attacks are not necessarily 'bugs' in the > implementation, per se (not the same way a stack over flow or an > uninitialized variable is a bug -- even it it's latent), but improvements > in the state of the art of cryptanalysis). Any crypto code without a very > active upstream tracking these issue will very quickly atrophie and become > vulnerable. Network faced clients and servers have the same security issues. But this doesn't allow to make oen for all decision regarding maintaining or not this kind of packages in fedora. The maintainer may be skilled enough and have enough time to substitute for the upstream. We cannot say it in advance, and should leave it to the maintainer. (The export stuff is another issue, a legal issue). -- Pat -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
