On 10/10/2016 05:07 AM, Florian Weimer wrote:
On 10/07/2016 06:43 PM, Dominik 'Rathann' Mierzejewski
> I was made aware that EOL software with known security bugs that will
> not be fixed upstream (due to EOL status) was reviewed and accepted into
> Fedora recently.
Fedora relies on EOLed components pretty much across the system
(including critical security functionality), so one more such package
really isn't the end of the world. I think new packages should not be
held to tremendously higher standards than existing packages.
Well... can we draw a line in the sand somewhere and maybe start
cleaning up this stuff? I don't have specific examples of old, crusty
stuff that's vulnerable sitting in our OS but is it possible to move to
something current or adopt/fork those old projects when we still need to
functionality so someone is at least looking at them?
I think it would be a very good idea to know what packages out there are
no longer being supported upstream and of those which ones have
vulnerabilities (and how bad those vulnerabilities are).