On Tue, Jul 31, 2018 at 09:09:58AM +0530, Huzaifa Sidhpurwala wrote:
Hi All,
I was asked to bring this issue[1] to the developer community before
FESCO makes a decision.
In several instances[2] there exists packages in Fedora, in which
package-maintainers did not patch security issues, for multiple reasons
including 1. non-responsive maintainer 2. issue hard to patch 3. no one
cares?
This is a risk for the distribution, our users and community as a whole
and not to mentioned bad PR :)
I would like to propose the following:
1. If a CRITICAL or IMPORTANT security issue is open against a package
in Fedora-X and by the time X is EOL and the issue is not addressed,
proactively remove the package from X+1
2. If a MODERATE or LOW security issue is open against a package in
Fedora -X and by the time X+! is EOL, the issue is not addressed, remove
it from X+2
What do you mean by 'issue is not addressed' here ? Hopefully it is still
valid to simply close the issues as WONTFIX or NOTABUG. IMHO for some low
or even moderate severity issues it is often wiser to simply wait till next
major Fedora release to pick up a rebased upstream release, rather than do
a hairy backport which can risk creating as many problems as it solves.
This would imply closing Fedora X as WONTFIX, while Fedora X+2 gets a fix
still due to rebased version.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|