1 |
Petteri Räty wrote: |
2 |
> If you can't manage weekly commits, you can't respond to security issues |
3 |
> either. |
4 |
|
5 |
I can see your point, I was more thinking about developers who have |
6 |
maybe one or two small packages that don't have many version bumps or |
7 |
bugs. They may be entirely able to respond to security issues, but may |
8 |
not have reason to make the weekly commit quota. I don't know the |
9 |
habits of developers well enough to know if this is a reasonable scenario? |
10 |
|
11 |
I was under the impression that if a dev couldn't respond quickly enough |
12 |
to a security issue, the security team could take steps (mask the |
13 |
package, try to fix it) to ensure the package doesn't pose a problem (as |
14 |
is presumably the case now with devs who forget to mark themselves as |
15 |
away). Depending on the actions you envisaged (sending a warning email, |
16 |
marking as away or retiring) this could create a lot of extra work for |
17 |
little benefit. If it was simply a warning email it might not be very |
18 |
pointful, but marking them as away then it sounds like it could be |
19 |
useful and automated... 5:) |
20 |
|
21 |
Mike 5:) |
22 |
-- |
23 |
gentoo-dev@l.g.o mailing list |