On Wed, 2019-09-18 at 23:24 +0200, Kevin Kofler wrote: > And if an otherwise maintained package FTBFS, if it does not actually > need > any change, I don't see how this is even an issue at all.
FTBFS packages can get CVEs filed against them and then they can be difficult to fix. There are a few problems: * The FTBFS package often has no maintainer to notice the CVE in the first place, which means it is likely to just be vulnerable without any other packagers noticing. * If someone does notice the CVE and wants to fix it, they have to first figure out why the package doesn't build. This is at a minimum extra work for the maintainer, and in some cases it could be that it is impossible to fix the FTBFS (for example, if the package requires an older dependency than is in the distribution that was removed or upgraded years ago). * If it is impossible to fix the FTBFS and there is a CVE, we also cannot remove the vulnerable package from stable releases. The current policy does curtail that last problem (but does not eliminate it entirely) by removing some FTBFS packages before they have CVEs. Of course, we do have unmaintained software in the distribution despite this policy, but the policy does lead to *fewer* unmaintained packages, which means fewer packages with the above problems. The FTBFS policy essentially is an "are you there?" to the maintainer. It is a disservice to our users to provide them with unmaintained packages, and this is one tool we have to find out if packagers are still around.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
