> Ok so there is a bug to fix in e17, what do you do ?

I report it to upstream team (on irc or on the ML)

> Or a security issue like the one I found ( and that should be fixed I
> hope soon, after reporting it 3 times upstream ).

Same way, report it upstream.

If upstream don't fix a bug (or security issue), this bug isn't fixed.

unless packager become a dev and fix the bug himself.

> if the answer is "we ship a newer snapshot who requires to rebuild
> everything regarding e17 because there is no guarantee of binary
> stability ( ie, ABI wise ) and that will introduce unwanted changes",
> then the problem is here. 

I was thinking about something like this.

> Unless the snapshot are bugfixes only ( and they are not ), that's a
> problem. That's already annoying to have to do it for chrome, firefox
> and thunderbird to not happily increase our burden with a whole desktop
> environnement.

Without stable release, and upstream team doing fix release. I don't know

how to do manage package.

> So far, I have asked the question 3 times. No one answered at all.

I hope it's done this time.

> Also, please do not top post. 

Sorry, will try ...

So, yes, there isn't any way to manage bug/security issue in a very easy way

when upstream team don't provide stable tarball. So, what is the mageia 

policy in this case ? no packaging at all ? "private" packaging ?

regards,

trem