Huzaifa Sidhpurwala wrote:
Hi All,
I was asked to bring this issue[1] to the developer community before
FESCO makes a decision.
In several instances[2] there exists packages in Fedora, in which
package-maintainers did not patch security issues, for multiple reasons
including 1. non-responsive maintainer 2. issue hard to patch 3. no one
cares?
This is a risk for the distribution, our users and community as a whole
and not to mentioned bad PR :)
I would like to propose the following:
1. If a CRITICAL or IMPORTANT security issue is open against a package
in Fedora-X and by the time X is EOL and the issue is not addressed,
proactively remove the package from X+1
2. If a MODERATE or LOW security issue is open against a package in
Fedora -X and by the time X+! is EOL, the issue is not addressed, remove
it from X+2
I don't think this is practical, we'll lose half the distro (are at least
large chunks).
Initially, such a proposal may be possible if generally limited to leaf
packages.
-- Rex