1 |
On 13 September 2012 09:43, Jeroen Roovers <jer@g.o> wrote: |
2 |
> On Wed, 12 Sep 2012 20:53:20 +0200 |
3 |
> Pacho Ramos <pacho@g.o> wrote: |
4 |
> |
5 |
>> > You can un-CC yourself. I don't see why security@ should be doing |
6 |
>> > the legwork. |
7 |
>> |
8 |
>> It shouldn't be so hard to do, they can do it just when they CC |
9 |
>> arches, instead of relaying some random team member to do it himself |
10 |
>> once a useless message is received |
11 |
> |
12 |
> It does become a chore when you have to check a list to match various |
13 |
> CC'd people's preferences and decide whether to un-CC them based on |
14 |
> that, the way they were CC'd (did they do it themselves, were they CC'd |
15 |
> by security, and so on) and perhaps some other factors someone will no |
16 |
> doubt soon propose in this thread. |
17 |
> |
18 |
> Basically you are saying, "why doesn't anyone else do my volunteer work |
19 |
> for me". |
20 |
> |
21 |
> |
22 |
> jer |
23 |
> |
24 |
|
25 |
I don't mind getting the odd security bug mail. It's relatively low |
26 |
volume, and I like to know what's happening to packages I maintain. |
27 |
|
28 |
What irks me much more is that it can take half an eternity for |
29 |
security bugs to get addressed properly. Especially minor arches can |
30 |
stretch out the stabilization process for months or years. Recently we |
31 |
(Qt team) had to push really hard and "punish" lagging minor arches |
32 |
with hard-masking Qt libs and all reverse dependencies in order to get |
33 |
an ancient version with several open security bugs removed from the |
34 |
tree (because they hadn't keyworded/stabilized newer versions and were |
35 |
unresponsive to our requests). |
36 |
|
37 |
I think we should adopt a policy that we set a hard limit of 3 months |
38 |
in which arches can address stabilization requests before we just drop |
39 |
keywords. Even that is in my opinion an awfully long time to leave |
40 |
vulnerable versions in the tree. |
41 |
|
42 |
-- |
43 |
Cheers, |
44 |
|
45 |
Ben | yngwin |
46 |
Gentoo developer |
47 |
Gentoo Qt project lead, Gentoo Wiki admin |