On Sun, 10 Apr 2011 15:41:25 +0900 TASAKA Mamoru mtasaka@fedoraproject.org wrote:
Tomasz Torcz wrote, at 04/09/2011 07:57 PM +9:00:
On Sat, Apr 09, 2011 at 05:32:04AM +0200, Kevin Kofler wrote:
Will Woods wrote:
In fact, there's plenty of approvers available, but you're not engaging with them. They might not know how to test libtiff, or what needs testing, so other stuff gets tested first.
The fact is, this is a SECURITY UPDATE and as such it should go out even without testing. It's not acceptable to sit on security updates for weeks.
No, security updates are not _that_ special. For example, there's an avahi update in pipeline. It has broken dependencies. Pushing this would broke some systems. I'm talking about: https://admin.fedoraproject.org/updates/avahi-0.6.27-6.fc14
So as a result we are just leaving this security issue unresolved more than one month? Okay, it is all very well that we try to explain why the new updates request is not yet pushed, however then people would ask, "so why can't Fedora try to fix such issue like broken dependency ASAP? Short of man power? Is Fedora just making light of security issues?"
Who is responsible for this issue?
I would say (in order):
- The person who submitted the update.
- Any co-maintainers the package has that could fix it and push a new update.
- Any provenpackagers who are interested in the package and can go fix it and push a fixed update.
- FESCo or rel-eng if no one else steps up and someone notifies those bodies of the problem, so someone there can fix it.
kevin