Thunderbird bz 579023 still not fixed even though there is an upstream fix available
matt at mattmccutchen.net
Fri Apr 30 03:46:01 UTC 2010
On Thu, 2010-04-29 at 10:58 -0700, Christopher Aillon wrote:
> I really think that as a project, we'd be doing a lot better if we
> mandated upstream review before applying patches to any package if you
> aren't an upstream maintainer of the code. As it is now, it's somewhat
> scary to think how many packagers would take a bugfix patch and apply it
> without being able to figure out if there's a potential hidden exploit
> in it...
Review, perhaps, but not approval. Fedora and upstream are independent
organizations each pursing their own goals. Trademarks aside, Fedora
shouldn't be bound by upstream decisions any more than upstream is bound
by our packaging guidelines or obliged to accept patches to comply with
them. For comparison, disapproval from upstream libpng sure didn't stop
Mozilla from patching libpng with APNG support.
And the relevant qualification for a reviewer is knowledge of the code,
not affiliation with upstream.
More information about the devel