| 1 |
On 7/6/16 8:11 AM, Rich Freeman wrote: |
| 2 |
> Like I said, one mistake doesn't make a trend, and we shouldn't |
| 3 |
> over-react to a mistake. However, the way to handle a mistake is for |
| 4 |
> everybody to say "this was a mistake," not "you're the only person who |
| 5 |
> has a problem with this." Let's just fix whatever broke (if it isn't |
| 6 |
> already fixed) and move on. We don't need to defend mistakes. |
| 7 |
|
| 8 |
+1 |
| 9 |
|
| 10 |
So what we don't want happening again moving forward is where a |
| 11 |
developer (me in this case) thinks he's provided the information needed |
| 12 |
for security, then the bug goes dormant 3 years, and then out of the |
| 13 |
blue a p.mask with 30 days notice until removal. Especially if it the |
| 14 |
security issue is minor. |
| 15 |
|
| 16 |
The security@g.o list has 500+ open bugs going back years. We don't |
| 17 |
want this uncertainty to loom over all developers heads. A reasonable |
| 18 |
policy here would help create clear expectations for security and other |
| 19 |
developers. |
| 20 |
|
| 21 |
I don't think I need to add more to this since K_F appears to be working |
| 22 |
on something that will address this. |
| 23 |
|
| 24 |
-- |
| 25 |
Anthony G. Basile, Ph.D. |
| 26 |
Gentoo Linux Developer [Hardened] |
| 27 |
E-Mail : blueness@g.o |
| 28 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 29 |
GnuPG ID : F52D4BBA |
Archives