> On 1/30/20 8:32 AM, Kevin Kofler wrote: > Issues which are blocking on upstream, will eventually get resolved once > upstream figures out a solution in some time, maybe with subsequent rebases.
Which is fine. Should Fedora in the meantime ship known vulnerable software? But the point, if I understand correctly, is valid. We don't want to automatically assume security bugs are being ignored. They could be waiting on upstream. So maybe this requires a different categorization where bugs/packages can be in a parked state while we wait on upstream? This would help communicate that the issue is being dealt with to the casual BZ viewer. > If > fixing security issues is extra work for packagers, then we are doing > something wrong here. What percentage of security flaws will be > closed:upstream? Why do we drop other fixes for such issues and > eventually end up having tons of pending fixes. For Fedora I think the majority of security bugs will be resolved via a new upstream release. There are situations where we are also the upstream for the project we're packaging, and often times that can be the same person doing the upstream work and the packaging. For these cases I think communicating that work is being done is more important. > Do we want to continue the same condition as described here: > https://mivehind.net/2020/01/28/Fedora-has-too-many-security-bugs/ _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
