1 |
On 7/6/16 8:11 AM, Rich Freeman wrote: |
2 |
> Like I said, one mistake doesn't make a trend, and we shouldn't |
3 |
> over-react to a mistake. However, the way to handle a mistake is for |
4 |
> everybody to say "this was a mistake," not "you're the only person who |
5 |
> has a problem with this." Let's just fix whatever broke (if it isn't |
6 |
> already fixed) and move on. We don't need to defend mistakes. |
7 |
|
8 |
+1 |
9 |
|
10 |
So what we don't want happening again moving forward is where a |
11 |
developer (me in this case) thinks he's provided the information needed |
12 |
for security, then the bug goes dormant 3 years, and then out of the |
13 |
blue a p.mask with 30 days notice until removal. Especially if it the |
14 |
security issue is minor. |
15 |
|
16 |
The security@g.o list has 500+ open bugs going back years. We don't |
17 |
want this uncertainty to loom over all developers heads. A reasonable |
18 |
policy here would help create clear expectations for security and other |
19 |
developers. |
20 |
|
21 |
I don't think I need to add more to this since K_F appears to be working |
22 |
on something that will address this. |
23 |
|
24 |
-- |
25 |
Anthony G. Basile, Ph.D. |
26 |
Gentoo Linux Developer [Hardened] |
27 |
E-Mail : blueness@g.o |
28 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
29 |
GnuPG ID : F52D4BBA |