Security Response Team / EOL
Ralf Corsepius
rc040203 at freenet.de
Fri Apr 28 12:29:49 UTC 2006
On Fri, 2006-04-28 at 14:12 +0200, Michael Schwendt wrote:
> On Fri, 28 Apr 2006 12:50:27 +0200, Thorsten Leemhuis wrote:
>
> > Am Freitag, den 28.04.2006, 12:20 +0200 schrieb Patrice Dumas:
> We do agree that package maintainers may abandon their packages for legacy
> branches, don't we? A marker-file in CVS is easy to do, an unimportant
> implementation detail. A security response team (or co-maintainers,
> whatever, it doesn't matter) would need to take over those packages.
Well, security affects all packages, and "security leaks" are very
likely to affect all available versions.
Therefore, I disagree upon this "strong ownership assignment" in your
sentences and can't find it useful. But I don't disagree upon a
"security task force intervening/modifying a package", regardless of
whether a package is in current or in legacy, no matter if it's orphaned
or actively maintained, nor whether a packager is on vacation or
suffering from a broken email access.
Otherwise we are very likely to see a "Security task force" or "legacy
team" fixing bugs in legacy, that will stay open for some time in
"current".
Or to put it differently: I think you are mixing 2 completely
independent issues:
* Regular maintenance of "legacy" packages the "nominal maintainer" in
current has abandoned to actively maintain.
* Security response.
Ralf
More information about the fedora-extras-list
mailing list