Fedora Forms Process For Retiring Packages With Open Security Issues

Last year Fedora's Engineering and Steering Committee approved a plan to drop packages with consistently bad security track records where these packages aren't being punctually maintained in order to address known security vulnerabilities or potentially unmaintained entirely. FESCo has now approved a set of guidelines for the process by which these packages can be retired from Fedora but still stand a chance to be re-adopted and maintained.

At Monday's Fedora Engineering and Steering Committee, members approved a plan for the timing by which these packages bearing untimely security updates can be retired. The approved plan comes down to:

During the FESCo meeting on Feb 18th 2019 we decided to retire them way before branching so that people will have time to reintroduce them if needed and this helps us to do it only in rawhide rather than in both, branched and rawhide.

So, here's my proposal, once a release gets out and we start working on branching on next release, there are about three and half months of time which is 14 weeks.

We can start this process 10 weeks before branching and send weekly notifications for 4 weeks and retire them after 4 weeks of notifications, which gives them 6 weeks to get them back into distribution before branching. 6 weeks before branching because if a package is retired for more than 2 weeks then they have to go through the review process which takes time sometimes.

That proposal has now been approved along with other items via the FESCo meeting minutes. At this meeting they also deferred the proposal to enable DNF's "best" mode by default to something they will consider for the Fedora 31 cycle but not Fedora 30 as had originally been planned.