Daniel P. Berrangé wrote:
Ignoring low bugs also probably isn't a viable stragegy
for EPEL, because that's a long life distro stream, and
so won't automatically get low CVE fixes via a rebase
in 6 months like we do in Fedora. So the CVE mountain
is even bigger for EPEL, and also more serious due to its
long lifecycle.
Given that RHEL completely ignores low-impact security issues, I do not see
why EPEL should be held to a higher standard than RHEL itself.
Kevin Kofler