| 1 |
On 2017.03.11 20:50, Kristian Fiskerstrand wrote: |
| 2 |
> A draft of a Pre-GLEP for the Security project is available for |
| 3 |
> reading |
| 4 |
> at https://wiki.gentoo.org/wiki/User:K_f/GLEP:Security |
| 5 |
> |
| 6 |
> The GLEP follows a line of GLEPs for special projects that have |
| 7 |
> tree-wide access in order to ensure proper accountability (c.f GLEP 48 |
| 8 |
> for QA and still non-produced GLEP for ComRel (I've started working on |
| 9 |
> this and will be presenting this one later as current ComRel Lead)) |
| 10 |
> |
| 11 |
> Comments, patches, threats, etc welcome |
| 12 |
> |
| 13 |
> -- |
| 14 |
> Kristian Fiskerstrand |
| 15 |
> OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 16 |
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
| 17 |
> |
| 18 |
> |
| 19 |
|
| 20 |
Kristian, |
| 21 |
|
| 22 |
First of all, thank you. We have needed something like this for several |
| 23 |
projects, for some time. |
| 24 |
|
| 25 |
A few odds and ends. |
| 26 |
|
| 27 |
Why do Security Project members need to be ebuild devs? |
| 28 |
Non ebuild developers can contribute by producing GLSAs, |
| 29 |
for example. |
| 30 |
|
| 31 |
Who manages the Security Project (from outside). It appears from |
| 32 |
the draft GLEP, nobody. That means that the project could become |
| 33 |
moribund and nobody would notice. Its not like Gentoo enforces |
| 34 |
or even checks for leadership elections. That's an anual event |
| 35 |
anyway, so its not a measure of a projects continued well being. |
| 36 |
|
| 37 |
Compare the Security Project to council, that have a monthly |
| 38 |
showing of project health. |
| 39 |
|
| 40 |
Projects tend to be left alone. Gentoo has several projects that |
| 41 |
appear to be unmanaged but cannot be permitted to die out. |
| 42 |
This is one. Who takes the Security Projects pulse and how? |
| 43 |
|
| 44 |
A periodic automated message to -dev that all Security Project |
| 45 |
members "reply to list" is both public and mimnimally invasive. |
| 46 |
Its no more than 'roll call'. |
| 47 |
|
| 48 |
Now the hard one, who does what when there is no pulse from |
| 49 |
the Security Project? |
| 50 |
|
| 51 |
This isn't really a Security Project issue. If its ever needed, the |
| 52 |
Security Project isn't active. It affects other projects too, like |
| 53 |
comrel, QA and others. Perhaps there is a common solution |
| 54 |
to taking a proqcts pulse and reacting when there is none. |
| 55 |
|
| 56 |
-- |
| 57 |
Regards, |
| 58 |
|
| 59 |
Roy Bamford |
| 60 |
(Neddyseagoon) a member of |
| 61 |
elections |
| 62 |
gentoo-ops |
| 63 |
forum-mods |
Archives