EPEL Orphaned packages with vulnerabilities

Karel Volný kvolny at redhat.com
Thu Aug 14 09:54:59 UTC 2014


> There is now a security initiative to handle the outstanding security
> bugs.

that's cool that somebody cares

however, do you really think that users will appreciate this way of 
handling the bugs, i.e. removing important libraries instead of patching 

>>> Perhaps you can un-retire the package(s) and maintain them?
>> why should I fix things *you* broke?
> Please calm down. If the package and its dependencies should stay in
> EPEL, they need to be maintained.

probably my Google is broken, but I cannot find where this is set in stone?

I've always thought that it works in the way that if package gets orphaned, 
it simply won't make it into next version of the distribution, not that it 
should get removed from the current version, causing regressions for users 

> So if you would like to have the package in EPEL, you need to find
> a maintainer or maintain it.

sorry, I just don't follow your logic

it wasn't me who did the action - why should I undo it?


Karel Volný
QE BaseOs/Daemons Team
Red Hat Czech, Brno
tel. +420 532294274
(RH: +420 532294111 ext. 8262074)
xmpp kavol at jabber.cz
:: "Never attribute to malice what can
::  easily be explained by stupidity."

More information about the epel-devel mailing list