| 1 |
Mike Auty kirjoitti: |
| 2 |
> Petteri Räty wrote: |
| 3 |
>> If you can't manage weekly commits, you can't respond to security |
| 4 |
>> issues either. |
| 5 |
> |
| 6 |
> I can see your point, I was more thinking about developers who have |
| 7 |
> maybe one or two small packages that don't have many version bumps or |
| 8 |
> bugs. They may be entirely able to respond to security issues, but may |
| 9 |
> not have reason to make the weekly commit quota. I don't know the |
| 10 |
> habits of developers well enough to know if this is a reasonable scenario? |
| 11 |
> |
| 12 |
> I was under the impression that if a dev couldn't respond quickly enough |
| 13 |
> to a security issue, the security team could take steps (mask the |
| 14 |
> package, try to fix it) to ensure the package doesn't pose a problem (as |
| 15 |
> is presumably the case now with devs who forget to mark themselves as |
| 16 |
> away). Depending on the actions you envisaged (sending a warning email, |
| 17 |
> marking as away or retiring) this could create a lot of extra work for |
| 18 |
> little benefit. If it was simply a warning email it might not be very |
| 19 |
> pointful, but marking them as away then it sounds like it could be |
| 20 |
> useful and automated... 5:) |
| 21 |
> |
| 22 |
> Mike 5:) |
| 23 |
|
| 24 |
Undertakers would still be processing the retirements. What I am talking |
| 25 |
about is changing how the list of potentially inactive people is created. |
| 26 |
|
| 27 |
Regards, |
| 28 |
Petteri |
Archives