Kevin Fenzi kevin at
Wed Sep 22 18:35:44 UTC 2010

On Wed, 22 Sep 2010 12:12:54 -0500
Bruno Wolff III <bruno at> wrote:

> On Wed, Sep 22, 2010 at 18:58:25 +0200,
>   drago01 <drago01 at> wrote:
> > 
> > In case of a security issue a random note somewhere "don't do that"
> > is not acceptable ... that's all I am saying here.
> > You are leaving users at risk by assuming that they will read that
> > notice (note: most wont).
> I disagree. There are lots of degrees to security bugs. How they are
> handled depends on the cost of fixing the issue and the impact of the
> bug. These tradeoffs are made all of the time.

I agree with Bruno here. 

Security updates are very important and should be given a pretty high
weight in general, but there are lots of further factors: 

- Does the security issue not affect fedora in it's default
- Is there a way to backport the fix to the current version instead of
  taking a vastly changed upstream head package version?
- Can some minor/not very used part of the existing package be disabled
  to prevent the security issue from being a problem?

Few things are black and white. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : 

More information about the devel mailing list