Hi, as far as I can tell, nothing states that known-insecure software isn't permitted in Fedora.
In my view, users have a reasonable expectation that the software present in our distro has been curated and subject to scrutiny. Unfortunately, nothing cryptographic enters into that: we can (and have!) ship known-insecure software in the distribution.
To give an example, I'm the former maintainer of krb5-appl. I say "former" because we removed it from the distro with F27. At the recommendation of I think sgallagh, we did this using the change process so that it couldn't simply be un-orphaned. Having actual policy in place here would mean we don't have to do things like this, as well as letting us set a minimum security standard for the distro.
I'm not sure the best place for this kind of change - Forbidden items would be a good fit except that it's focused around the legal issues.
I absolutely swear that at some point I typed up a response here, but looking over old tickets I see this has no response attached. So I'll try to remember what I typed all that time ago.
Basically, this committee focuses more on how to package, not on what to package. If FESCo or even the Council wants to make a determination that "known insecure" software can't be packaged (and I don't personally think there's an easy way to define that) then the packaging committee can document it somewhere. https://docs.fedoraproject.org/en-US/packaging-guidelines/what-can-be-packaged/ would be a good place.
If there is a list of specific pieces of software which we want to keep out of the distro (such as the krb5-appl example above) then we could give those a place either on that "What Can Be Packaged" page or in someplace linked from there.
We could also easily add some words about checking for security issues and giving them due consideration before packaging before packaging something, though I suspect that a better place for that would be somewhere in the documentation for packagers, which is itself a separate project. (Separate enough that I don't know off the top of my head where it is living now.)
They are published as docs.fp.o/package-maintainers, the sources are at pagure.io/fedora-docs/package-maintainer-docs. Pull requests for this kind of content are welcome. Those docs are not authorative in the sense that anything there would need a FESCo decision or such. Any packager who wants to share knowledge or good practises is welcome to contribute.
Metadata Update from @james: - Issue close_status updated to: nothingtodo - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.