Patrice Dumas wrote:
On Thu, Mar 13, 2008 at 12:33:17AM -0500, Toshio Kuratomi wrote:
> There's some basis for Jef's argument in the "Fedora is not a dumping
> ground for old, unmaintained software" philosophy. OTOH, the line between
> no upstream, a little upstream activity, and maintained by the Fedora
> Packager could get blurry here. So if we're planning on proposing some
> actual guidelines regarding what is an appropriate level of upstream
> activity to consider a package for Fedora, a conversation about this is
> *definitely* needed.
>
This comes up now and then. Some package are completly unmaintained, but
also completly stable and don't need an upstream maintainer anymore, so
that maintaining them in fedora is right.
This may be OK for some types of
packages, but crypto has challeges of
it's own. There are constantly new attacks published against existing
crypto implementations. These attacks are not necessarily 'bugs' in the
implementation, per se (not the same way a stack over flow or an
uninitialized variable is a bug -- even it it's latent), but
improvements in the state of the art of cryptanalysis). Any crypto code
without a very active upstream tracking these issue will very quickly
atrophie and become vulnerable.
bob