On Fri, 25 May 2018 08:55:01 -0700, you wrote:
On Fri, 2018-05-25 at 12:41 +0200, Sergio Pascual wrote:
> Hello, I'm going to build new cfitsio 3.450 in Rawhide. This involves a
> soname bump. Notice that I plan to do the same in F28 (with a buildroot
> override, etc) as cfitsio has security issues
>
https://bugzilla.redhat.com/show_bug.cgi?id=1570484
Thanks for the heads-up, but this is still not in line with the policy:
"When a proposed update contains an ABI or API change: notify a week in
advance both fedora-devel and maintainers directly (using the
packagename-owner@ alias) whose packages depend on yours to rebuild or
offer to do these rebuilds for them."
Does that even apply for a security update, as in this case?
Seems a bit dangerous to me to announce to the world there is a
security hole in a library, but by the way we won't be fixing it for
at least a week.
Obviously ideally a security fix wouldn't require an ABI/API change,
but far too many upstreams don't follow the ideal world.