I've been asked by a concerned Fedora user to ask FESCo to look into the Fedora tor package.
There are outstanding security issues, and the maintainer is not timely about pushing them out. There's a number of comments on mailing lists I have seen advising people to not use the Fedora package and simply install from upstream.
Additionally, the maintainer doesn't wish to push updates out without karma even if their are known security issues and the timeout has expired.
https://bugzilla.redhat.com/show_bug.cgi?id=903516
https://bugzilla.redhat.com/show_bug.cgi?id=880313
https://bugzilla.redhat.com/show_bug.cgi?id=903515
https://bugzilla.redhat.com/show_bug.cgi?id=739368
https://bugzilla.redhat.com/show_bug.cgi?id=856989
https://bugzilla.redhat.com/show_bug.cgi?id=860192
Perhaps the maintainer would add co-maintainers or simply step back from maintaining.
Enrico has kindly given me commit access to all Fedora Tor packages :)
Great. Have you had a chance to look at updating it and addressing all the bugs?
Is Enrico open to doing so?
I've talked with jamielinux and he's busy working on the bugs and updates.
He's fine with closing this for now...
So, I am reopening this for further discussion.
In particular I'd like us to clarify if a maintainer should hold a security update until it gets enough karma to promote as well as how much 'personal style' should be allowed in packages.
Done.
jamielinux is the new owner of the packages in the Fedora branches.
Login to comment on this ticket.