Looks fine to me.

While security fixes are almost always the reason the committee grants approval for an incompatible update, we could in theory grant approval for other reasons. Instead of saying "If CVE is critical or high severity", how about "In the case of a critical or high severity CVE,"?

I agree with this adjustment for CVEs that are rated as critical.

I do not think it's justified for CVEs that are only rated as high. The EPEL 7 Will It CVE page currently shows 50 CVE bugs with a high rating. The EPEL 8 Will It CVE page currently shows 29 CVE bugs with a high severity. And this is after a concentrated effort by the CPE EPEL team to close out dozens of CVEs over the last year or so. Many of these CVEs are multiple years old. Waiting a week for the discussion and committee vote is simply not a big deal in the scope of the decade lifecycle of RHEL and thus EPEL. RHEL doesn't even fix all CVEs rated important (roughly the equivalent to NVD's high rating in Red Hat's classification system).

In the case of a rejected incompatible update, if the maintainer has already submitted the change to the epel-testing repo, they will likely need to introduce an epoch in order to undo the update for users who have already applied it. I think we should minimize the likelihood of this situation by limiting this practice to critical rated CVEs only.

After discussion in the EPEL Steering Committee meeting it was decided to do just critical. I'll get an update to this pull request in a bit.

I believe this is what everyone agreed on in the meeting.

Sorry for the one extra commit. I had just noticed that this was finishing up one of the discussion points.

Looks pretty good to me.