On Thu, May 29, 2025 at 12:34 PM Neal Gompa <ngomp...@gmail.com> wrote: > > On Thu, May 29, 2025 at 5:42 AM Alexander Sosedkin <asosed...@redhat.com> > wrote: > > > > On Thu, May 29, 2025 at 12:19 AM Neal Gompa <ngomp...@gmail.com> wrote: > > > > > > On Wed, May 28, 2025 at 5:52 PM Chris Adams <li...@cmadams.net> wrote: > > > > > > > > Once upon a time, Michael Catanzaro <mcatanz...@redhat.com> said: > > > > > On Wed, May 28 2025 at 03:19:49 PM -05:00:00, Chris Adams > > > > > <li...@cmadams.net> wrote: > > > > > >So it's been another month and this still isn't resolved. I know > > > > > >people > > > > > >on the Fedora side have been trying (don't want to complain about > > > > > >effort). But if Fedora can't reliably get timely updates to a > > > > > >package > > > > > >that has high security implications, it should NOT be enabled by > > > > > >default, or even shipped by Fedora at all. > > > > > > > > > > Well you're not wrong. The risk level here is considerable. > > > > > > > > > > But without this package, users can't play videos, and there's > > > > > nothing we can do about that other than point to RPM Fusion and hope > > > > > they can figure out how to get what they need from there, which is > > > > > not easy. So the consequences of dropping it are also considerable. > > > > > Rock and hard place and all that. > > > > > > > > This package is for playing one particular encoding of videos (and only > > > > certain profiles of that encoding from what I understand). There's also > > > > nothing preventing Fedora from pointing users to Cisco's site to get > > > > their provided binaries. > > > > > > > > There are always decisions between security and convenience, and Fedora > > > > has typically gone for security (e.g. things like continually raising > > > > the crypto policies). Leaving desktop users open to a high-rated CVE > > > > for three months (and counting), in the name of convenience, is rather > > > > bad IMHO. > > > > > > Honestly, we don't really push for security like that. We have > > > generally provided optionality, but that doesn't mean we want security > > > to outweigh our community and usability. > > > > I wanna get that in writing from, let's say, > > somebody with write access to > > https://docs.fedoraproject.org/en-US/project/ > > > > > The crypto policies is an example of the problems > > > caused by pushing security above everything > > > else, as we wound up with several releases in a row of the package > > > manager being broken because RPM could no longer verify Google > > > Chrome's GPG keys (among other things). > > > > That's not how I remember things, like, at all. > > Which *released* versions did the change ship in? > > FeSCO said to revert for F38 (https://pagure.io/fesco/issue/2960), we did. > > That particular security issue stays unfixed to date. > > Was there more to it that I don't remember? > > > > Yes. The revert didn't apply to anyone who had installed or upgraded > during the timeframe it was active, so everyone who didn't manually > set it back has a broken package manager.
What? How? I'd like more details on how that's possible. -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
