On Thu, 30 Jan 2020 at 15:47, Richard Shaw <hobbes1069(a)gmail.com> wrote:
4. I'm not a C/C++ programmer and certainly not a security expert. If I can find a
link to a fix for another distro, such as debian, I'll apply it but more often than
not there's nothing there when I look. I'll even file an issue upstream but most
of the time it's ignored.
Programming language knowledge doesn't imply intimate knowledge of
every software development framework a program written in that
language may be based on. Neither does it imply intimidate knowledge
of the program and its source code. That is when packagers consult
upstream developers, and not even for upstream developers all security
issues are trivial to fix. Sometimes potential fixes are controversial
and require software development that goes far beyond what packagers
do.
5. A of times it's for an EPEL package that's much older than
the current release so the fix for Fedora can't be easily applied to EPEL.
Also true.