How quickly should we retire orphaned packages?
Haïkel
hguemar at fedoraproject.org
Thu Aug 21 14:52:37 UTC 2014
2014-08-21 16:23 GMT+02:00 Matthew Miller <mattdm at fedoraproject.org>:
> On Thu, Aug 21, 2014 at 04:19:17PM +0200, Haïkel wrote:
>> > (c) An orphaned package is not necessarily a risk ("security" has been
>> > mentioned here ...). Just because it might be a risk on rare
>> > occasions doesn't mean we have to throw out every orphaned package.
>> > Security bugs can sit around in non-orphaned packages too.
>> You're right, but filtering packages that we could safely keep or not
>> would require manual filtering (though it could be partly automated)
>> We don't have enough manpower for that, unless a group wants to make a
>> counter-proposal, I don't see a better way to solve that issue.
>
> Could we move these to an "at your own risk" separate repository rather than
> deleting them, except for when we know that there's a critical security
> issue?
>
Sounds reasonable to me, that might require adapting our infrastructure though.
> --
> Matthew Miller
> <mattdm at fedoraproject.org>
> Fedora Project Leader
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
More information about the devel
mailing list