Quake3 security issue and non-responsive maintainer: Xavier Lamien

Stanislav Ochotnicky sochotnicky at redhat.com
Thu May 20 16:11:56 UTC 2010 

On 05/11/2010 10:03 PM, Thomas Spura wrote:
> Am Dienstag, den 11.05.2010, 17:47 +0800 schrieb Chen Lei:
>>
>>
>> 2010/5/11 Rahul Sundaram <metherid at gmail.com>
>>         Hi
>>         
>>         https://admin.fedoraproject.org/pkgdb/acls/bugs/quake3
>>         
>>         Quake 3 engine needs to be updated.  The current version has
>>         security
>>         issues and breaks multiplayer in a couple of Quake3 based
>>         games such as
>>         OpenArena.  The maintainer has not responded in bugzilla since
>>         March and
>>         has not responded to private email either.  I would like to
>>         invoke the
>>         fast track process.   Meanwhile, I will be much obliged if
>>         someone
>>         updates Quake 3 to the latest version available and push out
>>         updates for
>>         Fedora 13 and 12.
>>
>> It seems a lot of trivial packages in fedora are unmaintained for a
>> long time, even those maintainers may still be active in fedora
>> community.  Maybe setting up an automatic orphan policy combining with
>> a package QA page is necessary now.
> 
> A big +1!
> 
> Gentoo has the same [1]:
> "Any developer suspected to be inactive for a period in excess of 60
> days may be subject to retirement. Developer Relations will first
> research and assess the situation, attempt to contact the developer, or
> if attempts are unsuccessful may chose to retire the developer. Please
> note that if you are in devaway for more than 60 days, you may also be
> considered inactive, however, return dates will be taken into
> consideration. If you are retired due to inactivity and wish to return,
> you need only contact Recruiters to begin the recruitment process again.
> "

I will just add link to Gentoo "devaway" system[1] of notifying other
developers/users/etc that they will not be participating in community
for longer periods of time. Policy is to say approximately when you will
be returning to "full duty" and also to specify what to do with bugs for
packages that person is maintaining. Gentoo has more lenient ACLs as far
as CVS access is concerned though (everyone can touch everyone's files)
so there is no need to setup additional permissions (as Fedora
maintainers would have to do).

Perhaps this approach could be somehow integrated. When developer sets
"away" flag (in pkgdb or somewhere else) and there is no other
co-maintainer anyone will be able to touch his spec files, not just
provenpackagers.


[1] http://dev.gentoo.org/devaway/

-- 
Stanislav Ochotnicky <sochotnicky at redhat.com>
Associate Software Engineer - Base Operating Systems Brno

PGP: 71A1677C
Red Hat Inc.                               http://cz.redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20100520/85e1525a/attachment.bin

More information about the devel mailing list