EPEL Orphaned packages with vulnerabilities

Till Maas opensource at till.name
Sun Aug 17 17:36:51 UTC 2014

On Thu, Aug 14, 2014 at 11:54:59AM +0200, Karel Volný wrote:

> >There is now a security initiative to handle the outstanding security
> >bugs.
> that's cool that somebody cares
> however, do you really think that users will appreciate this way of handling
> the bugs, i.e. removing important libraries instead of patching them?

If there is nobody that patches the library, I do not see how this is an

> >>>Perhaps you can un-retire the package(s) and maintain them?
> >>
> >>why should I fix things *you* broke?
> >
> >Please calm down. If the package and its dependencies should stay in
> >EPEL, they need to be maintained.
> probably my Google is broken, but I cannot find where this is set in stone?
> I've always thought that it works in the way that if package gets orphaned,
> it simply won't make it into next version of the distribution, not that it
> should get removed from the current version, causing regressions for users
> ...?

For me it is kind of common sense. Why should it be a good idea to ship
packages with known vulnerabilities? As you can see from the long list
of orphaned packages with known vulnerabilities, just orphaning packages
in EPEL creates a dangerous situation where users installing packages
from EPEL assume they are well taken care of, but in reality they are
not. So I discussed this with others and retiring orphaned packages
after a certain time seemed good to us. However, I did not intentionally
retire a package that is depended upon, but since it is really easy to
undo retirement in EPEL, I do not see much harm done.

> >So if you would like to have the package in EPEL, you need to find
> >a maintainer or maintain it.
> sorry, I just don't follow your logic
> it wasn't me who did the action - why should I undo it?

I really do not get what what is your motivation. You are a package
maintainer with a package that depends on an orphaned library with
security vulnerabilities. Why do you not want to fix this? First you
wanted to get a better heads up, which I agree would have been better,
but I do not see how this would have changed anything, because still
nobody cares enough about libmodplug to unretire it and fix the security
vulnerability. Since you maintain a package that depends on it, you are
the first candidate to do this.


More information about the epel-devel mailing list