Thunderbird bz 579023 still not fixed even though there is an upstream fix available

Christopher Aillon caillon at redhat.com
Thu Apr 29 17:58:32 UTC 2010


On 04/27/2010 02:55 PM, Kevin Kofler wrote:
> I think that, sure, we should try to get patches upstreamed, but I don't see
> why we'd need to wait for their approval before applying them, other than
> due to the aforementioned trademark bureaucracy.

You really don't see the value in having the engineers that own the code 
give technical review?


> Firefox and Thunderbird are the ONLY high-profile packages in Fedora working
> that way, and there must be very few packages in Fedora being maintained in
> this style.


Getting sign-off is standard practice for the kernel too.  Maybe we 
should drop that package?

Anyway, it's unfortunate that this really isn't done more often.  I 
really think that as a project, we'd be doing a lot better if we 
mandated upstream review before applying patches to any package if you 
aren't an upstream maintainer of the code.  As it is now, it's somewhat 
scary to think how many packagers would take a bugfix patch and apply it 
without being able to figure out if there's a potential hidden exploit 
in it...


More information about the devel mailing list