Sorry, forgot to replace nonresponsive maintainer bug placeholder: https://bugzilla.redhat.com/show_bug.cgi?id=2369140

Last bodhi / koji activity was three months ago (three matrix-synapse security updates).

Last comments / activity on bugzilla is a few months old too (query here). Note that a lot of their recent review request tickets were auto-closed due to inactivity too.

+1

+1

It's been more than 3 days per the policy, so adding js to the package.

This ticket should stay open to continue the process...

+1

+1

+1

+1

matrix-synapse maintainer here, now responding. It’s currently quite busy for me, so I’d be happy to have someone else maintain the package, too.

The package has been poorly maintained for so many years now that upstream points to a 3rd party repository.

The link to Oleg’s repo is there for a long time and was not put there as a reaction to my actions as maintainer. Instructions for the official Fedora package are still listed first.

The situation has been bad for quite a while already (the update history
is that is was almost always very much behind, including unpatched
security vulnerabilities)

Please note that I am monitoring Synapse security issues closely and go to great length backporting those to all stable Fedora releases. Some fixes took quite the effort and coordination to pull off and sadly took a while. Most of the time I get security updates out before the corresponding Bugzilla tickets even appear. I do not follow upstream releases closely on rawhide, though, as I don’t see the benefits for the effort.

Please note that I am monitoring Synapse security issues closely and go to great length backporting those to all stable Fedora releases.

Personally, I don't think that is the correct approach. This is Fedora, not Debian stable. At least the latest Fedora release and rawhide should have a somewhat up to date version IMHO, especially as Matrix is a fast-moving ecosystem and has no LTS releases. Personally, I don't think only doing security updates and ignoring Bugzilla for months is enough maintenance. Especially if things even fail to build.

I've been unhappy with how it is maintained for a while, as have others apparently, given 3rd party repos.

@FESCo: Since v02460 responded now, what will happen next?

@js: I wrote you a mail to further coordinate maintainership of matrix-synapse.

@js: I wrote you a mail to further coordinate maintainership of matrix-synapse.

Did you come to some conclusion?

Not yet. We have agreement on adding the security hardening to the systemd unit, but that's it.

As for upgrading the package, Kai asked me to not update it on f42 (nobody is running rawhide on a server, I hope), as he believes this would be in violation of https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/. My understanding OTOH has been that the update policy is not applied strictly, especially not on leaf packages, and especially not on ones such as Synapse where the ecosystem keeps moving and an old version just becomes useless. At least, nobody has ever complained to me when I updated leaf packages -- but I did get complaints when I did not update quickly enough (such as e.g. Electrum).

Can FESCo make a call here, please?

Can FESCo make a call here, please?

I don't think we don't currently have a process for dealing with situations like this.

I would agree that updating matrix-synapse on stable branches should be considered, especially since it's a network-facing component that becomes increasingly outdated and less useful over time (and I don't think painstakingly backporting security fixes to releases no longer maintained by upstream is a good way to spend maintainer time, TBH).

Well, the updates policy does include:

"If a package primarily serves to interoperate with hardware or network protocols, and the interface changes, then a package may be rebased if necessary. This includes network games, IM protocols, hardware music players, cell phones, etc. These packages may also be updated to add support for new devices or formats in compatible ways."

I guess apply for the exception just so we can add it to the list if the exception is approved?