Am Dienstag, 4. Oktober 2011, 17:03:56 schrieb Cristian Morales Vega:
As an 11.4 user I ask myself:
- Who will patch the digikam 1.8 package from the main repo if there is ever a security issue? The security team.
- Who will patch the digikam 2.2 package from the KDF repo if there is ever a security issue? There are two independent teams here. At the very minimum upstream will do it (and the KDF maintainers will publish the update from upstream). And I expect the security team and/or the KDF maintainers to also do some basic checks since those packages have to go to Factory. Perhaps it's not as secure as the package from the official repo, but it gives me some confidence to know someone is watching it.
- Who will patch the digikam 1.9 package from the KUA repo if there is ever a security issue? Upstream is NOT going to. KDF maintainers are NOT going to. Who is going to then?
And that's the simple reason why packages should build. Trust in a package is a temporal state that disappears the moment the maintainer published an update. What I really trust is the maintainer, not the package, and the maintainer can only transfer that trust to the LATEST package. I even stop trusting the packages from the official repo once an update is published in the updates repo...
I thought about that issue too – but the answer you will get is that every user who uses any obs repo accepts the risk of doing so and thus has to care about any issues himself. Not nice, certainly not something to make openSUE more popular, but given the resources kind of understandable. Sven -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-kde+help@opensuse.org