1 |
On 07/06/2016 10:04 AM, Anthony G. Basile wrote: |
2 |
> Having people review your work is a good idea, no? So in cases where |
3 |
> security wants to touch a packages, why not ping the maintainer first |
4 |
> and in case of a dispute or no response, escalate the issue to QA who |
5 |
> will review the problem and act. |
6 |
> |
7 |
> Are you okay with this change in procedure? |
8 |
|
9 |
It really depends on the severity of the security issue and QA response |
10 |
time. In general it seems like additional complexity, and the use of |
11 |
package masks are rare in general (and questionable in the specific |
12 |
context being discussed, so generalizing from that is bad form) |
13 |
|
14 |
If a bug should not be a security bug, why not mention as much in the |
15 |
bug report? I'm looking at 459274 and there is no maintainer response to |
16 |
it in more than 3 years. For 473770 there is no mention of which package |
17 |
it is fixed in, and generally bad tracking that even includes a move to |
18 |
github losing old references and a "I can't reproduce this" concluding |
19 |
it is fixed for all systems. |
20 |
|
21 |
In areas like this maintainers are the ones that needs to track upstream |
22 |
development of packages, and point out which released versions contains |
23 |
fixes or which patched version downstream does. Security can't in any |
24 |
case keep track of all packages in tree, in particular with the low bar |
25 |
there seems to be for adding new ones. |
26 |
|
27 |
That said, the reason the mask is questionable in this case is the low |
28 |
severity of the bug, but that isn't a general case. |
29 |
|
30 |
If council approval of special projects as lead is an important factor, |
31 |
maybe we should rather also approve security leads? |
32 |
|
33 |
-- |
34 |
Kristian Fiskerstrand |
35 |
OpenPGP certificate reachable at hkp://pool.sks-keyservers.net |
36 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |