Fedora Might Start Dropping Packages With Consistently Bad Security Records
Fedora's Engineering and Steering Committee is mulling over the idea of dropping software packages from the distribution that have notoriously bad security track records.
With packages that have a poor security record particularly over being left unmaintained by their package maintainers for a variety of reasons or where the software upstream sources are not maintained and riddled with recurring issues, FESCo might start dropping these "unsafe" packages from the platform. With packages of software no longer maintained upstream, there are often other package alternatives to package. Meanwhile for a lot of the niche packages they may get introduced into the Fedora ecosystem by new package contributors but never properly maintained due to lack of interest, time commitments, etc. The ability to remove them in the name of security would address the issue of security tickets against these packages remaining open for extended periods of time.
FESCo hasn't come to a firm decision on this proposed process yet but will be discussing it at the upcoming Flock conference. Flock is happening the next few days in Dresden, Germany. More details on the "drop packages with recurring bad security" proposal can be found here.
At Monday's FESCo meeting they did approve better FPGA support for Fedora 29 as well as the TLS 1.3 GnuTLS plans.
Additionally, with Fedora 29, FESCo is now backing the introduction of an F29 Minishift Spin. Minishift is a software package for easily creating a single-node OpenShift cluster, particularly for trying out OpenShift locally. So with this new Fedora 29 spin it should be super easy to test out a deployment of Red Hat's container application platform.
With packages that have a poor security record particularly over being left unmaintained by their package maintainers for a variety of reasons or where the software upstream sources are not maintained and riddled with recurring issues, FESCo might start dropping these "unsafe" packages from the platform. With packages of software no longer maintained upstream, there are often other package alternatives to package. Meanwhile for a lot of the niche packages they may get introduced into the Fedora ecosystem by new package contributors but never properly maintained due to lack of interest, time commitments, etc. The ability to remove them in the name of security would address the issue of security tickets against these packages remaining open for extended periods of time.
FESCo hasn't come to a firm decision on this proposed process yet but will be discussing it at the upcoming Flock conference. Flock is happening the next few days in Dresden, Germany. More details on the "drop packages with recurring bad security" proposal can be found here.
At Monday's FESCo meeting they did approve better FPGA support for Fedora 29 as well as the TLS 1.3 GnuTLS plans.
Additionally, with Fedora 29, FESCo is now backing the introduction of an F29 Minishift Spin. Minishift is a software package for easily creating a single-node OpenShift cluster, particularly for trying out OpenShift locally. So with this new Fedora 29 spin it should be super easy to test out a deployment of Red Hat's container application platform.
14 Comments