Fedora Forms Process For Retiring Packages With Open Security Issues

Written by Michael Larabel in Fedora on 26 February 2019 at 12:57 AM EST. 4 Comments
Last year Fedora's Engineering and Steering Committee approved a plan to drop packages with consistently bad security track records where these packages aren't being punctually maintained in order to address known security vulnerabilities or potentially unmaintained entirely. FESCo has now approved a set of guidelines for the process by which these packages can be retired from Fedora but still stand a chance to be re-adopted and maintained.

At Monday's Fedora Engineering and Steering Committee, members approved a plan for the timing by which these packages bearing untimely security updates can be retired. The approved plan comes down to:
During the FESCo meeting on Feb 18th 2019 we decided to retire them way before branching so that people will have time to reintroduce them if needed and this helps us to do it only in rawhide rather than in both, branched and rawhide.

So, here's my proposal, once a release gets out and we start working on branching on next release, there are about three and half months of time which is 14 weeks.

We can start this process 10 weeks before branching and send weekly notifications for 4 weeks and retire them after 4 weeks of notifications, which gives them 6 weeks to get them back into distribution before branching. 6 weeks before branching because if a package is retired for more than 2 weeks then they have to go through the review process which takes time sometimes.

That proposal has now been approved along with other items via the FESCo meeting minutes. At this meeting they also deferred the proposal to enable DNF's "best" mode by default to something they will consider for the Fedora 31 cycle but not Fedora 30 as had originally been planned.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week