| 1 |
Petteri Räty wrote: |
| 2 |
> If you can't manage weekly commits, you can't respond to security issues |
| 3 |
> either. |
| 4 |
|
| 5 |
I can see your point, I was more thinking about developers who have |
| 6 |
maybe one or two small packages that don't have many version bumps or |
| 7 |
bugs. They may be entirely able to respond to security issues, but may |
| 8 |
not have reason to make the weekly commit quota. I don't know the |
| 9 |
habits of developers well enough to know if this is a reasonable scenario? |
| 10 |
|
| 11 |
I was under the impression that if a dev couldn't respond quickly enough |
| 12 |
to a security issue, the security team could take steps (mask the |
| 13 |
package, try to fix it) to ensure the package doesn't pose a problem (as |
| 14 |
is presumably the case now with devs who forget to mark themselves as |
| 15 |
away). Depending on the actions you envisaged (sending a warning email, |
| 16 |
marking as away or retiring) this could create a lot of extra work for |
| 17 |
little benefit. If it was simply a warning email it might not be very |
| 18 |
pointful, but marking them as away then it sounds like it could be |
| 19 |
useful and automated... 5:) |
| 20 |
|
| 21 |
Mike 5:) |
| 22 |
-- |
| 23 |
gentoo-dev@l.g.o mailing list |
Archives