| 1 |
On 13 September 2012 09:43, Jeroen Roovers <jer@g.o> wrote: |
| 2 |
> On Wed, 12 Sep 2012 20:53:20 +0200 |
| 3 |
> Pacho Ramos <pacho@g.o> wrote: |
| 4 |
> |
| 5 |
>> > You can un-CC yourself. I don't see why security@ should be doing |
| 6 |
>> > the legwork. |
| 7 |
>> |
| 8 |
>> It shouldn't be so hard to do, they can do it just when they CC |
| 9 |
>> arches, instead of relaying some random team member to do it himself |
| 10 |
>> once a useless message is received |
| 11 |
> |
| 12 |
> It does become a chore when you have to check a list to match various |
| 13 |
> CC'd people's preferences and decide whether to un-CC them based on |
| 14 |
> that, the way they were CC'd (did they do it themselves, were they CC'd |
| 15 |
> by security, and so on) and perhaps some other factors someone will no |
| 16 |
> doubt soon propose in this thread. |
| 17 |
> |
| 18 |
> Basically you are saying, "why doesn't anyone else do my volunteer work |
| 19 |
> for me". |
| 20 |
> |
| 21 |
> |
| 22 |
> jer |
| 23 |
> |
| 24 |
|
| 25 |
I don't mind getting the odd security bug mail. It's relatively low |
| 26 |
volume, and I like to know what's happening to packages I maintain. |
| 27 |
|
| 28 |
What irks me much more is that it can take half an eternity for |
| 29 |
security bugs to get addressed properly. Especially minor arches can |
| 30 |
stretch out the stabilization process for months or years. Recently we |
| 31 |
(Qt team) had to push really hard and "punish" lagging minor arches |
| 32 |
with hard-masking Qt libs and all reverse dependencies in order to get |
| 33 |
an ancient version with several open security bugs removed from the |
| 34 |
tree (because they hadn't keyworded/stabilized newer versions and were |
| 35 |
unresponsive to our requests). |
| 36 |
|
| 37 |
I think we should adopt a policy that we set a hard limit of 3 months |
| 38 |
in which arches can address stabilization requests before we just drop |
| 39 |
keywords. Even that is in my opinion an awfully long time to leave |
| 40 |
vulnerable versions in the tree. |
| 41 |
|
| 42 |
-- |
| 43 |
Cheers, |
| 44 |
|
| 45 |
Ben | yngwin |
| 46 |
Gentoo developer |
| 47 |
Gentoo Qt project lead, Gentoo Wiki admin |
Archives