Beecrypt retired
Robert Relyea
rrelyea at redhat.com
Thu Mar 13 17:24:31 UTC 2008
Patrice Dumas wrote:
> On Thu, Mar 13, 2008 at 12:33:17AM -0500, Toshio Kuratomi wrote:
>
>> There's some basis for Jef's argument in the "Fedora is not a dumping
>> ground for old, unmaintained software" philosophy. OTOH, the line between
>> no upstream, a little upstream activity, and maintained by the Fedora
>> Packager could get blurry here. So if we're planning on proposing some
>> actual guidelines regarding what is an appropriate level of upstream
>> activity to consider a package for Fedora, a conversation about this is
>> *definitely* needed.
>>
>
> This comes up now and then. Some package are completly unmaintained, but
> also completly stable and don't need an upstream maintainer anymore, so
> that maintaining them in fedora is right.
This may be OK for some types of packages, but crypto has challeges of
it's own. There are constantly new attacks published against existing
crypto implementations. These attacks are not necessarily 'bugs' in the
implementation, per se (not the same way a stack over flow or an
uninitialized variable is a bug -- even it it's latent), but
improvements in the state of the art of cryptanalysis). Any crypto code
without a very active upstream tracking these issue will very quickly
atrophie and become vulnerable.
bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3420 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080313/0d1a13c1/attachment.bin>
More information about the fedora-devel-list
mailing list