On Thu, May 29, 2025 at 1:51 PM Neal Gompa <ngomp...@gmail.com> wrote: > > On Thu, May 29, 2025 at 7:28 AM Alexander Sosedkin <asosed...@redhat.com> > wrote: > > > > On Thu, May 29, 2025 at 12:34 PM Neal Gompa <ngomp...@gmail.com> wrote: > > > > > > On Thu, May 29, 2025 at 5:42 AM Alexander Sosedkin <asosed...@redhat.com> > > > wrote: > > > > > > > > On Thu, May 29, 2025 at 12:19 AM Neal Gompa <ngomp...@gmail.com> wrote: > > > > > > > > > > On Wed, May 28, 2025 at 5:52 PM Chris Adams <li...@cmadams.net> wrote: > > > > > > > > > > > > Once upon a time, Michael Catanzaro <mcatanz...@redhat.com> said: > > > > > > > On Wed, May 28 2025 at 03:19:49 PM -05:00:00, Chris Adams > > > > > > > <li...@cmadams.net> wrote: > > > > > > > >So it's been another month and this still isn't resolved. I know > > > > > > > >people > > > > > > > >on the Fedora side have been trying (don't want to complain about > > > > > > > >effort). But if Fedora can't reliably get timely updates to a > > > > > > > >package > > > > > > > >that has high security implications, it should NOT be enabled by > > > > > > > >default, or even shipped by Fedora at all. > > > > > > > > > > > > > > Well you're not wrong. The risk level here is considerable. > > > > > > > > > > > > > > But without this package, users can't play videos, and there's > > > > > > > nothing we can do about that other than point to RPM Fusion and > > > > > > > hope > > > > > > > they can figure out how to get what they need from there, which is > > > > > > > not easy. So the consequences of dropping it are also > > > > > > > considerable. > > > > > > > Rock and hard place and all that. > > > > > > > > > > > > This package is for playing one particular encoding of videos (and > > > > > > only > > > > > > certain profiles of that encoding from what I understand). There's > > > > > > also > > > > > > nothing preventing Fedora from pointing users to Cisco's site to get > > > > > > their provided binaries. > > > > > > > > > > > > There are always decisions between security and convenience, and > > > > > > Fedora > > > > > > has typically gone for security (e.g. things like continually > > > > > > raising > > > > > > the crypto policies). Leaving desktop users open to a high-rated > > > > > > CVE > > > > > > for three months (and counting), in the name of convenience, is > > > > > > rather > > > > > > bad IMHO. > > > > > > > > > > Honestly, we don't really push for security like that. We have > > > > > generally provided optionality, but that doesn't mean we want security > > > > > to outweigh our community and usability. > > > > > > > > I wanna get that in writing from, let's say, > > > > somebody with write access to > > > > https://docs.fedoraproject.org/en-US/project/ > > > > > > > > > The crypto policies is an example of the problems > > > > > caused by pushing security above everything > > > > > else, as we wound up with several releases in a row of the package > > > > > manager being broken because RPM could no longer verify Google > > > > > Chrome's GPG keys (among other things). > > > > > > > > That's not how I remember things, like, at all. > > > > Which *released* versions did the change ship in? > > > > FeSCO said to revert for F38 (https://pagure.io/fesco/issue/2960), we > > > > did. > > > > That particular security issue stays unfixed to date. > > > > Was there more to it that I don't remember? > > > > > > > > > > Yes. The revert didn't apply to anyone who had installed or upgraded > > > during the timeframe it was active, so everyone who didn't manually > > > set it back has a broken package manager. > > > > What? How? I'd like more details on how that's possible. > > > > Well, my Lenovo laptop running Fedora Workstation is affected, so I > know it happens. If you say it's not possible, then I have no idea > what's going on.
If it's still affected with the DEFAULT policy, please file a ticket. That change should've been reverted way back in f38 beta, and I've been under an impression it cannot possibly affect anyone. -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
