recruiting
Thorsten Leemhuis
fedora at leemhuis.info
Wed Dec 5 16:32:01 UTC 2007
On 05.12.2007 16:51, Patrice Dumas wrote:
> On Wed, Dec 05, 2007 at 11:38:01AM +0100, Thorsten Leemhuis wrote:
>>
>> On 05.12.2007 11:30, Patrice Dumas wrote:
>>> On Mon, Nov 26, 2007 at 05:18:19PM +0100, Thorsten Leemhuis wrote:
>>>> Sure it's dangerous and problematic -- but it's IMHO still way better
>>>> then to not ship a package just for hypothetical situation where a major
>>>> update might be the only way forward if a security issues comes up.
>>>> Besides: if we want to update for non-security reasons we can provide
>>>> compat packages as well, which should solve parts of the problem.
>>> Ok, but then what to do when a security issue is discovered in the
>>> package that is also relevant for the compat package but we don't want
>>> to backport it? Simply remove the compat package from the repo?
>> If there was a warning period or something like that, round about: yes.
>> Note that even RHEL does that iirc. Didn't they for example switch from
>> mozilla to seamonkey?
> But this is not exactly the same, since one obsolete the other.
Well, it was the same software in a newer version that also gotten a new
name.
> So the
> plan could be along obsoleting th ecompat package with the oldest compat
> package not having the security flaw? Otherwise the compat package will
> stay happily even though it isn't anymore in the repo.
Yeah, that could work.
But I think we just need to find individual solutions for problems when
we hit them.
CU
knurd
More information about the epel-devel-list
mailing list