| 1 |
On 07/06/2016 10:04 AM, Anthony G. Basile wrote: |
| 2 |
> Having people review your work is a good idea, no? So in cases where |
| 3 |
> security wants to touch a packages, why not ping the maintainer first |
| 4 |
> and in case of a dispute or no response, escalate the issue to QA who |
| 5 |
> will review the problem and act. |
| 6 |
> |
| 7 |
> Are you okay with this change in procedure? |
| 8 |
|
| 9 |
It really depends on the severity of the security issue and QA response |
| 10 |
time. In general it seems like additional complexity, and the use of |
| 11 |
package masks are rare in general (and questionable in the specific |
| 12 |
context being discussed, so generalizing from that is bad form) |
| 13 |
|
| 14 |
If a bug should not be a security bug, why not mention as much in the |
| 15 |
bug report? I'm looking at 459274 and there is no maintainer response to |
| 16 |
it in more than 3 years. For 473770 there is no mention of which package |
| 17 |
it is fixed in, and generally bad tracking that even includes a move to |
| 18 |
github losing old references and a "I can't reproduce this" concluding |
| 19 |
it is fixed for all systems. |
| 20 |
|
| 21 |
In areas like this maintainers are the ones that needs to track upstream |
| 22 |
development of packages, and point out which released versions contains |
| 23 |
fixes or which patched version downstream does. Security can't in any |
| 24 |
case keep track of all packages in tree, in particular with the low bar |
| 25 |
there seems to be for adding new ones. |
| 26 |
|
| 27 |
That said, the reason the mask is questionable in this case is the low |
| 28 |
severity of the bug, but that isn't a general case. |
| 29 |
|
| 30 |
If council approval of special projects as lead is an important factor, |
| 31 |
maybe we should rather also approve security leads? |
| 32 |
|
| 33 |
-- |
| 34 |
Kristian Fiskerstrand |
| 35 |
OpenPGP certificate reachable at hkp://pool.sks-keyservers.net |
| 36 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives