FESCo accepted [1] a new policy to handle packages with long-standing
known security bugs in a way similar to FTBFS bugs:
AGREED: If a CRITICAL or IMPORTANT security issue is currently open
against a package, or a security issue of lower severity has been
open for at least 6 months, four weeks before the branch point a
procedure similar to long-standing FTBFS will be triggered
immediately, with 8 weeks of weekly notifications to maintainers and
subsequent orphaning and then subsequent removal from distribution.
This applies to all packages, not just leaf.
This policy will apply to F30 and later. The branch point is on
2019/02/19, so somewhere around January 22 the procedure should start
with notifications being sent out. Maintainers are of course encouraged
to fix any security issues immediately. See [2] for a list of currently
open security bugs.
[1]
https://pagure.io/fesco/issue/1935#comment-528180
[2]
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASS...
Zbyszek,
on behalf of FESCo