critpath approval process seems rather broken

Mon Apr 11 19:13:54 UTC 2011

On Sun, 10 Apr 2011 15:41:25 +0900
TASAKA Mamoru <mtasaka at fedoraproject.org> wrote:

> Tomasz Torcz wrote, at 04/09/2011 07:57 PM +9:00:
> > On Sat, Apr 09, 2011 at 05:32:04AM +0200, Kevin Kofler wrote:
> >> Will Woods wrote:
> >>> In fact, there's plenty of approvers available, but you're not
> >>> engaging with them. They might not know how to test libtiff, or
> >>> what needs testing, so other stuff gets tested first.
> >>
> >> The fact is, this is a SECURITY UPDATE and as such it should go
> >> out even without testing. It's not acceptable to sit on security
> >> updates for weeks.
> >
> >    No, security updates are not _that_ special.  For example,
> > there's an avahi update in pipeline.  It has broken dependencies.
> > Pushing this would broke some systems. I'm talking about:
> > https://admin.fedoraproject.org/updates/avahi-0.6.27-6.fc14
> >
> 
> So as a result we are just leaving this security issue unresolved
> more than one month? Okay, it is all very well that we try to explain
> why the new updates request is not yet pushed, however then people
> would ask, "so why can't Fedora try to fix such issue like broken
> dependency ASAP? Short of man power? Is Fedora just making light
> of security issues?"
> 
> Who is responsible for this issue?

I would say (in order): 

- The person who submitted the update. 

- Any co-maintainers the package has that could fix it and push a new
  update. 

- Any provenpackagers who are interested in the package and can go fix
  it and push a fixed update. 

- FESCo or rel-eng if no one else steps up and someone notifies those
  bodies of the problem, so someone there can fix it. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110411/b153df4d/attachment-0001.bin