On Sun, Jul 2 2023 at 09:53:30 PM +0000, "Smith, Stewart via devel" devel@lists.fedoraproject.org wrote:
With this development model, what is the thought for those who may want to / be able to submit pull requests to CentOS Stream with security fixes?
It really depends. CentOS Stream does accept merge requests. With respect to security fixes in particular, I would certainly expect Red Hat would accept most merge requests that fix security problems. However, landing any change requires a relatively high amount of effort from a relatively large amount of people compared to Fedora, where packagers are in charge and things are much simpler. So whether or not your merge request will be accepted into CentOS Stream will be a business decision rather than a community decision. Factors that are outside your control will be considered (e.g. "how busy is QA team right now?") So my suggestion is to talk to the developers you see in the package changelog before submitting a merge request. Merge requests will often (hopefully even generally) be welcome, but not always. It's open source, but it's not a true community project like Fedora.
For WebKitGTK specifically, I'm not interested in patching individual CVEs in CentOS Stream: it's generally much easier and safer to just always update to the latest upstream release instead.
Michael