Security Response Team / EOL

[Michael A. Peters]

On Fri, 2006-04-28 at 18:48 +0200, Michael Schwendt wrote:

> 
> This is not a worst case, this is pretty normal. IMO. Scenario: "FC5 has
> just been released. Packager's primary machine is upgraded to FC5. FC4 is
> abandoned. FC3 even more." I'm aware that some packagers use mock to
> test-build their packages for older dists. I'm also aware that some use
> multi-boot environments or virtual machines to do run-time tests. But
> often, overall package quality suffers when package maintainers no longer
> use the old distributions regularly.

I know longer have an FC-3 box.
I'll only request builds for FC-3 if I know it works there, or there is
a bug and I know what fixes it.

That actually bothers me a little - I need to move around some stuff and
do an FC3 install. I don't have the time to do that probably until June.

>  
> 
> We needed policies, so either
> 
> a) an official team inside Fedora Extras gets the power (= the privileges)
> to intervene,

The person who sponsored the contributor at least has that authority if
I correctly recall - but yes, some people should have the authority, at
least with security patches, to intervene and apply them.

For non security patches I think the standard pings to the developer and
getting it listed as orphaned is the correct procedure.

> 
> or
> 
> b) arbitrary FE Contributors can intervene in accordance with
> policies.

I personally would rather have it be FE Contributors who have been given
such authority. Such as specified members of the security team. Both for
legacy and for "current".

> 
> This is not just about security vulnerabilities. It can also happen that a
> critical bug in a popular package doesn't get fixed, because the package
> owner seems to be unavailable (or is known to be unavailable).

In those cases, the package should be considered orphaned if the person
doesn't respond. IMHO.