FESCo accepted [1] a new policy to handle packages with long-standing known security bugs in a way similar to FTBFS bugs:
AGREED: If a CRITICAL or IMPORTANT security issue is currently open against a package, or a security issue of lower severity has been open for at least 6 months, four weeks before the branch point a procedure similar to long-standing FTBFS will be triggered immediately, with 8 weeks of weekly notifications to maintainers and subsequent orphaning and then subsequent removal from distribution. This applies to all packages, not just leaf. This policy will apply to F30 and later. The branch point is on 2019/02/19, so somewhere around January 22 the procedure should start with notifications being sent out. Maintainers are of course encouraged to fix any security issues immediately. See [2] for a list of currently open security bugs. [1] https://pagure.io/fesco/issue/1935#comment-528180 [2] https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9337195&order=changeddate%2Cpriority%2Cbug_id&product=Fedora&query_format=advanced Zbyszek, on behalf of FESCo _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
