| 1 |
On 2017-03-12 00:54, Kristian Fiskerstrand wrote: |
| 2 |
>> 1. From this proposal it looks like the Security Project Lead |
| 3 |
>> obtains a lot of power and a lot of responsibility, maybe too much |
| 4 |
>> for a single person to handle. |
| 5 |
>> |
| 6 |
>> While the Deputy may be assigned, this still gives all power to |
| 7 |
>> single hands. Maybe it will be better to establish something like |
| 8 |
>> the Security Project Council (SPC)? E.g. three project members may |
| 9 |
>> be elected to this SPC, so that all serious decisions will require |
| 10 |
>> some team agreement from at least 2 SPC members. This way the |
| 11 |
>> Deputy will not be needed as well. |
| 12 |
>> |
| 13 |
> The thinking here is that the project lead is the responsible party. Any |
| 14 |
> ambiguity can still be escalated to the Gentoo Council, but someone |
| 15 |
> needs to be responsible from the side of the Gentoo Security Project. |
| 16 |
|
| 17 |
I completely disagree with that. |
| 18 |
|
| 19 |
The whole powerful lead/deputy thing is going in the wrong direction. |
| 20 |
|
| 21 |
We don't need that. Security project is nothing special and doesn't need |
| 22 |
a strong lead with such a power to rule the entire Gentoo project. |
| 23 |
|
| 24 |
In general, every full member in the project should be equal. So I would |
| 25 |
list them all as confidential contact for example. This would lower the |
| 26 |
chance to compromise a member because an attacker wouldn't know who will |
| 27 |
get contacted. If we would only have one contact (like the lead) this |
| 28 |
would be a high-value target. |
| 29 |
Because the security project has some inactive/dev away members the team |
| 30 |
maybe want to select some main contacts instead. But this is up to the |
| 31 |
team/project and doesn't belong in any GLEP. |
| 32 |
|
| 33 |
|
| 34 |
-- |
| 35 |
Regards, |
| 36 |
Thomas |
Archives