drago01 drago01 at
Wed Sep 22 18:56:07 UTC 2010

On Wed, Sep 22, 2010 at 8:35 PM, Kevin Fenzi <kevin at> wrote:
> On Wed, 22 Sep 2010 12:12:54 -0500
> Bruno Wolff III <bruno at> wrote:
>> On Wed, Sep 22, 2010 at 18:58:25 +0200,
>>   drago01 <drago01 at> wrote:
>> >
>> > In case of a security issue a random note somewhere "don't do that"
>> > is not acceptable ... that's all I am saying here.
>> > You are leaving users at risk by assuming that they will read that
>> > notice (note: most wont).
>> I disagree. There are lots of degrees to security bugs. How they are
>> handled depends on the cost of fixing the issue and the impact of the
>> bug. These tradeoffs are made all of the time.
> I agree with Bruno here.
> Security updates are very important and should be given a pretty high
> weight in general, but there are lots of further factors:
> - Does the security issue not affect fedora in it's default
>  configuration?
> - Is there a way to backport the fix to the current version instead of
>  taking a vastly changed upstream head package version?
> - Can some minor/not very used part of the existing package be disabled
>  to prevent the security issue from being a problem?
> Few things are black and white.

Might be true but a random notice on some website / mailinglist /
$whatever is NOT a fix. period.

More information about the devel mailing list