Extras Security Policy
Hans de Goede
j.w.r.degoede at hhs.nl
Thu Sep 8 16:24:24 UTC 2005
Jeff Spaleta wrote:
> On 9/8/05, Christian.Iseli at licr.org <Christian.Iseli at licr.org> wrote:
>
>>If timer expires, and 4b exists, then apply 4b.
>>If timer expires and there are no comments, then temporarily disable the
>>package.
>
>
> explain to me.. how exactly you "disable" a package in a coherent way.
> An annoucement isn't going to cut it. We have no toolized way at all
> to tell people about a "lack of update" on each client computer
> pulling packages from extras and no way to proactively "expire" a
> package so that client tools suggest people remove the package from
> their system because there is no more updates coming. rpm itself has
> no concept of "expiration"
>
> -jef
>
As I already said just provide an empty package with a higher evr and
virtual privates, bins could be replaced with a script temporary
disabled because of security reasons.
Missing libs will cause other packages to break, which is kinda nasty
but imho better then leaving a security hole open for an unspecified time.
Regards,
Hans
More information about the fedora-extras-list
mailing list