On 1/30/20 8:32 AM, Kevin Kofler wrote:
Miro Hrončok wrote:
> My idea was that within half a year, it should be wither fixed or CLOSED
> as WONTFIX or UPSTREAM. If we don't agree, I'm completely fine making it
> 12 months or even ignore such bugs in the policy entirely.
I don't see how it is an improvement to close security fixes that are
blocking on upstream (in)action as UPSTREAM, as opposed to keeping them open
so that it is clear to everyone that they need to be fixed.
Issues which are blocking on upstream, will eventually get resolved once
upstream figures out a solution in some time, maybe with subsequent rebases.
I think that the policy being discussed here just ought to be dropped
entirely, because it will do absolutely nothing to make Fedora actually more
secure, but only amounts to extra bureaucracy and extra work for packagers.
fixing security issues is extra work for packagers, then we are doing
something wrong here. What percentage of security flaws will be
closed:upstream? Why do we drop other fixes for such issues and
eventually end up having tons of pending fixes.
Do we want to continue the same condition as described here:
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Huzaifa Sidhpurwala / Red Hat Product Security