FESCo accepted [1] a new policy to handle packages with long-standing known security bugs in a way similar to FTBFS bugs:
AGREED: If a CRITICAL or IMPORTANT security issue is currently open against a package, or a security issue of lower severity has been open for at least 6 months, four weeks before the branch point a procedure similar to long-standing FTBFS will be triggered immediately, with 8 weeks of weekly notifications to maintainers and subsequent orphaning and then subsequent removal from distribution. This applies to all packages, not just leaf.
This policy will apply to F30 and later. The branch point is on 2019/02/19, so somewhere around January 22 the procedure should start with notifications being sent out. Maintainers are of course encouraged to fix any security issues immediately. See [2] for a list of currently open security bugs.
[1] https://pagure.io/fesco/issue/1935#comment-528180 [2] https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGN...
Zbyszek, on behalf of FESCo
devel-announce@lists.fedoraproject.org