#1028 tor package concerns
Closed None Opened 6 years ago by kevin.

I've been asked by a concerned Fedora user to ask FESCo to look into the Fedora tor package.

There are outstanding security issues, and the maintainer is not timely about pushing them out. There's a number of comments on mailing lists I have seen advising people to not use the Fedora package and simply install from upstream.

Additionally, the maintainer doesn't wish to push updates out without karma even if their are known security issues and the timeout has expired.

https://bugzilla.redhat.com/show_bug.cgi?id=903516

https://bugzilla.redhat.com/show_bug.cgi?id=880313

https://bugzilla.redhat.com/show_bug.cgi?id=903515

https://bugzilla.redhat.com/show_bug.cgi?id=739368

https://bugzilla.redhat.com/show_bug.cgi?id=856989

https://bugzilla.redhat.com/show_bug.cgi?id=860192

Perhaps the maintainer would add co-maintainers or simply step back from maintaining.


Enrico has kindly given me commit access to all Fedora Tor packages :)

Great. Have you had a chance to look at updating it and addressing all the bugs?

Is Enrico open to doing so?

I've talked with jamielinux and he's busy working on the bugs and updates.

He's fine with closing this for now...

So, I am reopening this for further discussion.

In particular I'd like us to clarify if a maintainer should hold a security update until it gets enough karma to promote as well as how much 'personal style' should be allowed in packages.

agreed remove Enrico from tor maintainership (+6,0,0)

Done.

jamielinux is the new owner of the packages in the Fedora branches.

Login to comment on this ticket.

Metadata