1 |
On 2017-03-12 00:54, Kristian Fiskerstrand wrote: |
2 |
>> 1. From this proposal it looks like the Security Project Lead |
3 |
>> obtains a lot of power and a lot of responsibility, maybe too much |
4 |
>> for a single person to handle. |
5 |
>> |
6 |
>> While the Deputy may be assigned, this still gives all power to |
7 |
>> single hands. Maybe it will be better to establish something like |
8 |
>> the Security Project Council (SPC)? E.g. three project members may |
9 |
>> be elected to this SPC, so that all serious decisions will require |
10 |
>> some team agreement from at least 2 SPC members. This way the |
11 |
>> Deputy will not be needed as well. |
12 |
>> |
13 |
> The thinking here is that the project lead is the responsible party. Any |
14 |
> ambiguity can still be escalated to the Gentoo Council, but someone |
15 |
> needs to be responsible from the side of the Gentoo Security Project. |
16 |
|
17 |
I completely disagree with that. |
18 |
|
19 |
The whole powerful lead/deputy thing is going in the wrong direction. |
20 |
|
21 |
We don't need that. Security project is nothing special and doesn't need |
22 |
a strong lead with such a power to rule the entire Gentoo project. |
23 |
|
24 |
In general, every full member in the project should be equal. So I would |
25 |
list them all as confidential contact for example. This would lower the |
26 |
chance to compromise a member because an attacker wouldn't know who will |
27 |
get contacted. If we would only have one contact (like the lead) this |
28 |
would be a high-value target. |
29 |
Because the security project has some inactive/dev away members the team |
30 |
maybe want to select some main contacts instead. But this is up to the |
31 |
team/project and doesn't belong in any GLEP. |
32 |
|
33 |
|
34 |
-- |
35 |
Regards, |
36 |
Thomas |