I think that if a CVE arrives that we can't easily address through a patch, we have to be prepared to force an upgrade. Potentially "abandoning" a package that has CVEs in the wild, in the hope people will read about an optional upgrade, sounds like a policy we could regret.
Is there any history of EPEL just abandoning a package? What should happen in that situation? Perhaps it's been necessary at some point (no support upstream, no one available downstream either...). _______________________________________________ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
