1 |
On 3/13/17 3:10 PM, Thomas Deutschmann wrote: |
2 |
|
3 |
> I completely disagree with that. |
4 |
> |
5 |
> The whole powerful lead/deputy thing is going in the wrong direction. |
6 |
> |
7 |
> We don't need that. Security project is nothing special and doesn't need |
8 |
> a strong lead with such a power to rule the entire Gentoo project. |
9 |
> |
10 |
> In general, every full member in the project should be equal. So I would |
11 |
> list them all as confidential contact for example. This would lower the |
12 |
> chance to compromise a member because an attacker wouldn't know who will |
13 |
> get contacted. If we would only have one contact (like the lead) this |
14 |
> would be a high-value target. |
15 |
|
16 |
That is not possible (every full member as a confidential contact). This |
17 |
is not something that is allowed by the upstream early notification |
18 |
teams. We have tried using a mailing list and only very few would accept |
19 |
that. |
20 |
|
21 |
Also this is important for point of contacts as well. Once the |
22 |
confidential contacts receive the email they put in to bugzilla and make |
23 |
it security bug at that point everyone sees it. |
24 |
|
25 |
> Because the security project has some inactive/dev away members the team |
26 |
> maybe want to select some main contacts instead. But this is up to the |
27 |
> team/project and doesn't belong in any GLEP. |
28 |
|
29 |
That is the whole point of elections, if the lead is away then the |
30 |
deputy takes over the role. If the deputy can not do the job for some |
31 |
reason then they can be changed to another deputy. There is no problems |
32 |
with that, the deputy role being a non-elected role. |