On Fri, 2006-04-28 at 14:12 +0200, Michael Schwendt wrote: > On Fri, 28 Apr 2006 12:50:27 +0200, Thorsten Leemhuis wrote: > > > Am Freitag, den 28.04.2006, 12:20 +0200 schrieb Patrice Dumas: > We do agree that package maintainers may abandon their packages for legacy > branches, don't we? A marker-file in CVS is easy to do, an unimportant > implementation detail. A security response team (or co-maintainers, > whatever, it doesn't matter) would need to take over those packages. Well, security affects all packages, and "security leaks" are very likely to affect all available versions. Therefore, I disagree upon this "strong ownership assignment" in your sentences and can't find it useful. But I don't disagree upon a "security task force intervening/modifying a package", regardless of whether a package is in current or in legacy, no matter if it's orphaned or actively maintained, nor whether a packager is on vacation or suffering from a broken email access. Otherwise we are very likely to see a "Security task force" or "legacy team" fixing bugs in legacy, that will stay open for some time in "current". Or to put it differently: I think you are mixing 2 completely independent issues: * Regular maintenance of "legacy" packages the "nominal maintainer" in current has abandoned to actively maintain. * Security response. Ralf -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list