#2956 Does FESCo want to implement the policy for retiring packages with security bugs?
Closed: Rejected a year ago by zbyszek. Opened a year ago by mattdm.

This got brought to me, and now I'm bringing it back to you. :)

Four years ago, FESCo approved a policy for retiring packages with known security vulnerabilities. FESCo ticket #2090

That got turned into a rel-eng ticket (Rel-Eng ticket 7793), which (as happens sometimes) stalled.

Miro attempted to revive things with a devel list post — RFC: Security policy adjustments to make it easier to implement and more friendly to maintainers. Some discussion ensued, no clear consensus, and the rel-eng issue sat.

What do we want to do now?

  1. Re-open discussion?
  2. Remind people that this is a long-term plan, ask rel-eng to implement?
  3. Something else?

Back then, I decided not to invest more energy into this, when I saw that far too many packagers think that such a policy would be their enemy. I don't want to be the one who drives away contributors.

On one hand, I am sad that the Package maintainer responsibilities policy is ignored by many, but on the other, I am afraid that if we police more things, we might end up with nothing more to police.

We didn't get to this topic during today's meeting, it will be discussed next week. Unless we think it would be a good idea to open a discussion on the devel mailing list, instead.

Metadata Update from @sgallagh:
- Issue tagged with: meeting

a year ago

AGREED: In the current environment, FESCo feels that the CVE bug process is insufficient to support implementing this policy. This can be revisited in the future if conditions improve. (+6, 0, -0) (sgallagh, 18:23:40)

Metadata Update from @sgallagh:
- Issue untagged with: meeting

a year ago

Let's close this ticket now. We can always reopen it if circumstances change.

Metadata Update from @zbyszek:
- Issue close_status updated to: Rejected
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata