Thorsten Leemhuis fedora at
Wed Dec 5 16:32:01 UTC 2007

On 05.12.2007 16:51, Patrice Dumas wrote:
> On Wed, Dec 05, 2007 at 11:38:01AM +0100, Thorsten Leemhuis wrote:
>> On 05.12.2007 11:30, Patrice Dumas wrote:
>>> On Mon, Nov 26, 2007 at 05:18:19PM +0100, Thorsten Leemhuis wrote:
>>>> Sure it's dangerous and problematic -- but it's IMHO still way better
>>>> then to not ship a package just for hypothetical situation where a major
>>>> update might be the only way forward if a security issues comes up.
>>>> Besides: if we want to update for non-security reasons we can provide
>>>> compat packages as well, which should solve parts of the problem.
>>> Ok, but then what to do when a security issue is discovered in the
>>> package that is also relevant for the compat package but we don't want
>>> to backport it? Simply remove the compat package from the repo?
>> If there was a warning period or something like that, round about: yes.
>> Note that even RHEL does that iirc. Didn't they for example switch from
>> mozilla to seamonkey?
> But this is not exactly the same, since one obsolete the other.

Well, it was the same software in a newer version that also gotten a new

> So the 
> plan could be along obsoleting th ecompat package with the oldest compat
> package not having the security flaw? Otherwise the compat package will
> stay happily even though it isn't anymore in the repo.

Yeah, that could work.

But I think we just need to find individual solutions for problems when
we hit them.


More information about the epel-devel-list mailing list