>>>>> "GS" == Gianluca Sforna <giallu@xxxxxxxxx> writes: GS> If there are here any mantis users on older (AKA legacy) distros, GS> maybe we can arrange a test grid with them but, again, that's GS> going to be a fairly big work Well, obviously if there aren't any users then the security issues aren't a problem. And maybe it is better to just say "if you're running Mantis on FC3 or FC4, we can't really help you". Which would be unfortunate, because it looks as if Debian already did the work to backport at least some of the fixes. GS> Anyway ( sorry for being clueless ) why should we worry about GS> legacy distros, instead of leaving that to something like an GS> "Extras Legacy" SIG? And who would do that, exactly? The security team exists to help, but maintenance of a package on all supported Fedora releases is still the responsibility of the maintainer of said package. I don't think that anyone expects maintainers to keep a machine with each OS revision loaded so that everything can be tested; the community should be relied on for some of that. But when there are security problems it's still the maintainer's responsibility to evaluate them and evaluate the possible solutions and at least get those evaluations into the relevant bugzilla tickets. Even if it's just to say "sorry, it's just not feasible to fix this in a reasonable fashion" and perhaps provide packages somewhere that the user can manually upgrade to if they can't upgrade their full OS install. Right now we don't even know how bad the security issues are, or if anyone has taken a look at how hard it would be to push an update. - J< -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
