On Tue, Jun 16, 2020 at 08:49:57PM +0000, Jóhann B. Guðmundsson wrote:
Unless the process and the approach of "If it builds let's
has not been changed over the years then the end user might be getting
a package that is not actually being maintained in the distribution
thus already is a security risk ( without it being flagged retired )
to begin with so arguably that problem needs to be solved first or at
the same time as this.
Nearly every webapp packaged by Fedora is in this boat.
Dokuwiki was a particularly aggregious example; the packaged version was
completely *broken* between F25 and late-F28, incompatible with the PHP7
interpreter that Fedora shipped in those releases.
That incompatibility was a blessing of sorts, as it also meant that
between F25 and late-F28, the multiple CVEs present in that package
(I actually reported this brokenness in F25. That ticket ended up being
auto-closed when F27 came out, without the package getting fixed...)
I think people first need to establish what perception and thus
people put in the words retired,broken,maintained etc. before the proper
course of action can be taken.
"retired" tells you nothing more than "no longer packaged".
"packaged" does not mean "maintained by fedora". It certianly
mean "kept up to date with upstream releases" or "kept updated with
And "broken" in this context means nothing more than "failed to
package/build", because "packaged" doesn't mean "it actually
Solomon Peachy pizza at shaftnet dot org (email&xmpp)
@pizza:shaftnet dot org (matrix)
High Springs, FL speachy (freenode)