EPEL Orphaned packages with vulnerabilities

Till Maas opensource at till.name
Tue Aug 19 20:11:46 UTC 2014

On Tue, Aug 19, 2014 at 03:02:27PM +0200, Karel Volný wrote:

> the person who cares about the security bugs could have been the one to
> patch - it is not uncommon that things are fixed by other people than the
> owner (e.g. qmmp, that is owned by me, got recently updated in F20 by Rex
> Dieter because of some PulseAudio stuff ..)

Yes, it is not necessarily the maintainer that needs to take care of
stuff, but the maintainer should at least ask for help or coordinate

> I thought we've always advertised EPEL as "best effort", so I'd dismiss such
> assumptions as unfounded ... well, I know this is not nice, but I see it as
> the best (i.e. least bad) option, as we don't have the capacity to deal with
> every single problem in the (enterprise linux) world

> so ... suppose someone will follow
> http://fedoraproject.org/wiki/Package_SCM_admin_requests#Package_Change_Requests_for_existing_packages
> but it won't fix the cves ... what now, will it get back anyways?

> I'm not a good candidate, I'm not a programmer ... I understand the things
> enough to cherry pick a patch that can be applied directly, but I can hardly
> rewrite the patch for a different code of some old version, especially when
> I'm completely unfamiliar with the sources; probably I'd be able to handle
> it somehow in the end, but for a price of a lot of time that I'd need to use
> for other things (hey, I have a family waiting for me :-))
> from what I understand from the bugzilla, everything got fixed upstream so
> rebase would be the least-effor solution that basically anyone (including
> me) could handle
> however, we don't like to do rebases in EPEL ... would it be viable in this
> situation?
> - at least on EL5 it would mean the need to rebuild the dependant packages
> ... but we need to rebuild them anyways as the dependency became broken ...

Yes, a simple rebase will help here and is IMHO applicable here, since
it is the lesser evil. It is not necessarily necessary to rebuild the
dependent packages, if libmodplug did not change too much. Therefore in
this case, I would consider it pretty irresponsible to just get
libmodplug back in the state it is without taking care of the easy to
fix vulnerabilities.


More information about the epel-devel mailing list