Nicolas Mailhot wrote:
And I absolutely do not mean FEL should be a separate entity with no
access to FE ressources. It could be a FE SIG or something else within
FE. But there must be some coordinating structure, and package lifetimes
I think that there is enough of a negative connotation with the word
"Legacy" that we should avoid calling it that. That would effectively
shove it aside with the expectation that "somebody else" is supposed to
be working on it.
Instead a "team" of some sort should work on organizing the security
response. The "team" focuses on these tasks:
* Tracking where there are vulnerabilties
* Notifying existing maintainers
Meanwhile, the "team" and everyone else has the option of working on:
* obviously orphaned packages
* orphaned packages only in older distributions
The database created by the "team" is used in judgement of retirement
metrics. If it becomes plainly obvious that the community is not willing
to maintain an older distribution, then we can go through a warning
period and later retire the distro.
The bug list(s), multiple owner thing, moving Core and Extras closer
together, are all things that would help the above model.
Warren
--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list
