[ACTION REQUIRED] Retiring packages for F-17

[Ralf Corsepius]

On 01/17/2012 05:26 PM, Michael Schwendt wrote:
> On Tue, 17 Jan 2012 09:54:39 -0500, SG (Stephen) wrote:
>
>> On Tue, 2012-01-17 at 02:21 +0100, Kevin Kofler wrote:
>>> While that makes some sense, it was not my point. My point was that even if
>>> the package has NO maintainer, as long as it works, it's still better than
>>> no package at all!
>>
>> Not true. A package that appears to work, has people using it, but has
>> no one maintaining it is likely to become a package that has exploitable
>> security issues.
>
> Kind of a poor example, albeit a valid one, too. Any bug might have
> an impact.
>
> The general question of "Who handles bug reports (including security
> related ones)?" is still unanswered. It doesn't even need to be a real
> security vulnerability. Any bug report that isn't handled can lead to
> shipping software that doesn't work or doesn't work well enough. Worse if
> bug reports pile up with nobody responding to them. Fedora users are
> annoyed, if bugzilla appears to be no better than /dev/null.
Well, you leave me no other choice but to pronounce something you 
probably don't want to hear:

It's not uncommon to Fedora users to confronted with /dev/null style 
answers. It's just that they are called  "FIXED RAWHIDE", "FIXED 
UPSTREAM" or "no reply" and not explicitly labeled "/dev/null" ;)

> Perhaps there would not be just a team that rebuilds hundreds to thousands
> of "unmaintained" and possibly unused packages as needed, in Kevin's
> scenario there might be a Security SIG that would handle [properly
> tracked] security issues.
I don't question such security issues/risks exist, but would question 
these are for real.

IMO, the risks of being affected by security issues in new packages 
which had not seen wider use (or even security audits) is much larger 
than those in packages, which often had been in the wild for many years.

Ralf