On Thu, May 29, 2025 at 12:19 AM Neal Gompa <ngomp...@gmail.com> wrote: > > On Wed, May 28, 2025 at 5:52 PM Chris Adams <li...@cmadams.net> wrote: > > > > Once upon a time, Michael Catanzaro <mcatanz...@redhat.com> said: > > > On Wed, May 28 2025 at 03:19:49 PM -05:00:00, Chris Adams > > > <li...@cmadams.net> wrote: > > > >So it's been another month and this still isn't resolved. I know > > > >people > > > >on the Fedora side have been trying (don't want to complain about > > > >effort). But if Fedora can't reliably get timely updates to a package > > > >that has high security implications, it should NOT be enabled by > > > >default, or even shipped by Fedora at all. > > > > > > Well you're not wrong. The risk level here is considerable. > > > > > > But without this package, users can't play videos, and there's > > > nothing we can do about that other than point to RPM Fusion and hope > > > they can figure out how to get what they need from there, which is > > > not easy. So the consequences of dropping it are also considerable. > > > Rock and hard place and all that. > > > > This package is for playing one particular encoding of videos (and only > > certain profiles of that encoding from what I understand). There's also > > nothing preventing Fedora from pointing users to Cisco's site to get > > their provided binaries. > > > > There are always decisions between security and convenience, and Fedora > > has typically gone for security (e.g. things like continually raising > > the crypto policies). Leaving desktop users open to a high-rated CVE > > for three months (and counting), in the name of convenience, is rather > > bad IMHO. > > Honestly, we don't really push for security like that. We have > generally provided optionality, but that doesn't mean we want security > to outweigh our community and usability.
I wanna get that in writing from, let's say, somebody with write access to https://docs.fedoraproject.org/en-US/project/ > The crypto policies is an example of the problems > caused by pushing security above everything > else, as we wound up with several releases in a row of the package > manager being broken because RPM could no longer verify Google > Chrome's GPG keys (among other things). That's not how I remember things, like, at all. Which *released* versions did the change ship in? FeSCO said to revert for F38 (https://pagure.io/fesco/issue/2960), we did. That particular security issue stays unfixed to date. Was there more to it that I don't remember? -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
