Security Response Team / EOL

Michael A. Peters mpeters at
Fri Apr 28 17:24:50 UTC 2006

On Fri, 2006-04-28 at 18:48 +0200, Michael Schwendt wrote:

> This is not a worst case, this is pretty normal. IMO. Scenario: "FC5 has
> just been released. Packager's primary machine is upgraded to FC5. FC4 is
> abandoned. FC3 even more." I'm aware that some packagers use mock to
> test-build their packages for older dists. I'm also aware that some use
> multi-boot environments or virtual machines to do run-time tests. But
> often, overall package quality suffers when package maintainers no longer
> use the old distributions regularly.

I know longer have an FC-3 box.
I'll only request builds for FC-3 if I know it works there, or there is
a bug and I know what fixes it.

That actually bothers me a little - I need to move around some stuff and
do an FC3 install. I don't have the time to do that probably until June.

> We needed policies, so either
> a) an official team inside Fedora Extras gets the power (= the privileges)
> to intervene,

The person who sponsored the contributor at least has that authority if
I correctly recall - but yes, some people should have the authority, at
least with security patches, to intervene and apply them.

For non security patches I think the standard pings to the developer and
getting it listed as orphaned is the correct procedure.

> or
> b) arbitrary FE Contributors can intervene in accordance with
> policies.

I personally would rather have it be FE Contributors who have been given
such authority. Such as specified members of the security team. Both for
legacy and for "current".

> This is not just about security vulnerabilities. It can also happen that a
> critical bug in a popular package doesn't get fixed, because the package
> owner seems to be unavailable (or is known to be unavailable).

In those cases, the package should be considered orphaned if the person
doesn't respond. IMHO.

More information about the fedora-extras-list mailing list