1 |
Mike Auty kirjoitti: |
2 |
> Petteri Räty wrote: |
3 |
>> If you can't manage weekly commits, you can't respond to security |
4 |
>> issues either. |
5 |
> |
6 |
> I can see your point, I was more thinking about developers who have |
7 |
> maybe one or two small packages that don't have many version bumps or |
8 |
> bugs. They may be entirely able to respond to security issues, but may |
9 |
> not have reason to make the weekly commit quota. I don't know the |
10 |
> habits of developers well enough to know if this is a reasonable scenario? |
11 |
> |
12 |
> I was under the impression that if a dev couldn't respond quickly enough |
13 |
> to a security issue, the security team could take steps (mask the |
14 |
> package, try to fix it) to ensure the package doesn't pose a problem (as |
15 |
> is presumably the case now with devs who forget to mark themselves as |
16 |
> away). Depending on the actions you envisaged (sending a warning email, |
17 |
> marking as away or retiring) this could create a lot of extra work for |
18 |
> little benefit. If it was simply a warning email it might not be very |
19 |
> pointful, but marking them as away then it sounds like it could be |
20 |
> useful and automated... 5:) |
21 |
> |
22 |
> Mike 5:) |
23 |
|
24 |
Undertakers would still be processing the retirements. What I am talking |
25 |
about is changing how the list of potentially inactive people is created. |
26 |
|
27 |
Regards, |
28 |
Petteri |