| 1 |
On 3/13/17 3:10 PM, Thomas Deutschmann wrote: |
| 2 |
|
| 3 |
> I completely disagree with that. |
| 4 |
> |
| 5 |
> The whole powerful lead/deputy thing is going in the wrong direction. |
| 6 |
> |
| 7 |
> We don't need that. Security project is nothing special and doesn't need |
| 8 |
> a strong lead with such a power to rule the entire Gentoo project. |
| 9 |
> |
| 10 |
> In general, every full member in the project should be equal. So I would |
| 11 |
> list them all as confidential contact for example. This would lower the |
| 12 |
> chance to compromise a member because an attacker wouldn't know who will |
| 13 |
> get contacted. If we would only have one contact (like the lead) this |
| 14 |
> would be a high-value target. |
| 15 |
|
| 16 |
That is not possible (every full member as a confidential contact). This |
| 17 |
is not something that is allowed by the upstream early notification |
| 18 |
teams. We have tried using a mailing list and only very few would accept |
| 19 |
that. |
| 20 |
|
| 21 |
Also this is important for point of contacts as well. Once the |
| 22 |
confidential contacts receive the email they put in to bugzilla and make |
| 23 |
it security bug at that point everyone sees it. |
| 24 |
|
| 25 |
> Because the security project has some inactive/dev away members the team |
| 26 |
> maybe want to select some main contacts instead. But this is up to the |
| 27 |
> team/project and doesn't belong in any GLEP. |
| 28 |
|
| 29 |
That is the whole point of elections, if the lead is away then the |
| 30 |
deputy takes over the role. If the deputy can not do the job for some |
| 31 |
reason then they can be changed to another deputy. There is no problems |
| 32 |
with that, the deputy role being a non-elected role. |
Archives