Claiming ownership of mantis

[Jason L Tibbitts III]

>>>>> "GS" == Gianluca Sforna <giallu at gmail.com> writes:

GS> If there are here any mantis users on older (AKA legacy) distros,
GS> maybe we can arrange a test grid with them but, again, that's
GS> going to be a fairly big work

Well, obviously if there aren't any users then the security issues
aren't a problem.  And maybe it is better to just say "if you're
running Mantis on FC3 or FC4, we can't really help you".  Which would
be unfortunate, because it looks as if Debian already did the work to
backport at least some of the fixes.

GS> Anyway ( sorry for being clueless ) why should we worry about
GS> legacy distros, instead of leaving that to something like an
GS> "Extras Legacy" SIG?

And who would do that, exactly?  The security team exists to help, but
maintenance of a package on all supported Fedora releases is still
the responsibility of the maintainer of said package.  I don't think
that anyone expects maintainers to keep a machine with each OS
revision loaded so that everything can be tested; the community should
be relied on for some of that.  But when there are security
problems it's still the maintainer's responsibility to evaluate them
and evaluate the possible solutions and at least get those evaluations
into the relevant bugzilla tickets.  Even if it's just to say "sorry,
it's just not feasible to fix this in a reasonable fashion" and
perhaps provide packages somewhere that the user can manually upgrade
to if they can't upgrade their full OS install.

Right now we don't even know how bad the security issues are, or if
anyone has taken a look at how hard it would be to push an update.

 - J<