Extras submissions (was: Re: Orphaned and potentially unmaintained packages)

Michael Schwendt fedora at wir-sind-cool.org
Sun Jan 30 21:51:21 UTC 2005


On Sun, 30 Jan 2005 22:20:04 +0200, Ville Skyttä wrote:

> When a Core release enters Legacy, IMO it would make sense to split the
> corresponding Extras distro components and move them over to extras-
> legacy or something at the same time, and apply the fedoralegacy.org
> criteria for further updates to them.  Hopefully fedoralegacy.org could
> also host the BTS and mirrors for extras-legacy.

Hmmm, some time in the future, Fedora Extras would benefit from a
dedicated security team and vendor-sec info, too.

Right now it would help if community contributors, who monitor bugtraq
and similar lists, report incidents in bugzilla.

> Whether the packager providing updates for the Legacy Extras distros and
> the current ones is the same one doesn't really matter.  Or whether
> there is a designated Extras Legacy maintainer at all, actually.

Agreed.

In either case, if no one reported a vulnerability, even if it were
announced publicly on respective mailing-lists, the uncertainty of
offering outdated and vulnerable packages is undesirable. So, if something
is considered unsupported, it ought to be announced as such. Is deleting
an individual package an option when it is known that it's vulnerable?

> IMHO, it's better to not update legacy stuff at all than to release
> blindfolded it-builds-so-it-works updates, even into a "testing"
> repository.

Yeah, we need guidelines or policies for this. Packagers often track only
the current distribution version and maybe one older one or a relative,
e.g. RHEL.





More information about the fedora-extras-list mailing list