On 1 November 2016 at 13:32, Tom Boutell <t...@punkave.com> wrote: > I think that if a CVE arrives that we can't easily address through a patch, > we have to be prepared to force an upgrade. Potentially "abandoning" a > package that has CVEs in the wild, in the hope people will read about an > optional upgrade, sounds like a policy we could regret. > > Is there any history of EPEL just abandoning a package? What should happen in > that situation? Perhaps it's been necessary at some point (no support > upstream, no one available downstream either...).
There is an incredibly long history of EPEL abandoning packages for the above reasons all the time. It has been done pretty much from the get-go. The standard practice has been that when a package no longer is workable that it is withdrawn. Yes it sucks all around but in many cases this is the path that has been taken. > _______________________________________________ > epel-devel mailing list -- epel-devel@lists.fedoraproject.org > To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org -- Stephen J Smoogen. _______________________________________________ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org