I was made aware that EOL software with known security bugs that will
not be fixed upstream (due to EOL status) was reviewed and accepted into
Fedora recently. This came on the back of the FPC ticket  asking to
make some changes in the Python Packaging Guidelines. I did go back and
re-read our current guidelines and found that we don't have any policy
on that. As a result, I opened a FESCo ticket  with the aim of
establishing a clear policy on how to treat EOL software with known
My proposal is:
1. Prevent EOL software with known security vulnerabilities from
entering Fedora in the first place, i.e. make it a review bullet point
(if the package is EOL it MUST NOT have any known security
vulnerabilties). If existing packages are found to be EOL and have known
security vulnerabilities, the vulnerability must either be patched by
the maintainer (or otherwise handled, e.g. by switching to an actively
maintained fork) or the package must be removed from Fedora.
2. A ticket may be opened to FESCo applying for an exception to the
above. FESCo should most likely seek the advice of the Fedora
Security Team in such cases.
Please read comments in both referenced tickets to avoid repeating
arguments which were given already.
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"