Daniel Roesen said: > On Thu, Mar 18, 2004 at 02:35:41PM +0000, Joe Orton wrote: >> The problem is really that there is no QA team for Fedora which can test >> embargoed security fixes. > > The stuff *is* already being tested for RH9, and I seriously > doubt that a RH9 QA'ed OpenSSL package behaves any different on > FC1 - given that both have the almost exact same OpenSSL predecessor > package. EOL for RH 9 is April 30th. Not a good long term plan. > The only changes between 0.9.7a-20 (RH9 predecessor) and 0.9.7a-23 > (current FC1) are: > > - add a_mbstr.c fix for 64-bit platforms from CVS > - add -Wa,--noexecstack to RPM_OPT_FLAGS so that assembled modules get > tagged as not needing executable stacks > - remove exclusivearch > > I doubt that pulling in the changes in the RH9 update: [snip] > do invalidate any QA already done. > > I may be wrong... feel free to clue me in. :-) How about things linked with OpenSSL? HTTPd, OpenSSH, stunnel... >> (Unless you want us to do everything >> privately inside Red Hat again, which defeats the point of the project). > > Well, Fedora is still a RH-only show. Not from where I'm sitting. -- William Hooper
