From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 98E85138010 for ; Thu, 13 Sep 2012 03:30:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9438021C011; Thu, 13 Sep 2012 03:30:16 +0000 (UTC) Received: from mail-vc0-f181.google.com (mail-vc0-f181.google.com [209.85.220.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 9A40721C003 for ; Thu, 13 Sep 2012 03:29:20 +0000 (UTC) Received: by vchn11 with SMTP id n11so870032vch.40 for ; Wed, 12 Sep 2012 20:29:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=IFrv8cLsNRohsE4QLep8eAV9JOcc6O0BWyKI0aRsG6k=; b=DqdecK/RkpuyHMgW0NBpYAhX0lRBiM1dKp5YOareb/5XVZXARpReonnocWsbPWf+qG Gfo64KFCJWzjgWVcDaZZsOquYMcAwbkhD3I6gAD5eB4vxhrR06V0Hd0WOAgF04Vg6/Ft Njx/D/PDQyhmd6XQAYChRvfI8JEE6Boiqib1BMJO+kBuNHREJXorM/I7lEUXJ6wxm3vg Hhibv4gJpcFDW2Arc9wCynC34D//LJCSyg/x6cbTpKtxJ9PFybinGhuihokSTSrwQxaR 1lxFs4IoGeMvWmP6j6vpY7bRdUaN4YahmEPSUcCmwu52pb/+RumZ7esYTYK40NiWreru N6Lw== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.58.32.233 with SMTP id m9mr411876vei.23.1347506959728; Wed, 12 Sep 2012 20:29:19 -0700 (PDT) Sender: yngwin@gmail.com Received: by 10.58.58.110 with HTTP; Wed, 12 Sep 2012 20:29:19 -0700 (PDT) In-Reply-To: <20120913034350.24e9c3dc@marga.jer-c2.orkz.net> References: <1347472741.2365.5.camel@belkin4> <20120912202932.1fc1adbb@marga.jer-c2.orkz.net> <1347476000.2365.14.camel@belkin4> <20120913034350.24e9c3dc@marga.jer-c2.orkz.net> Date: Thu, 13 Sep 2012 11:29:19 +0800 X-Google-Sender-Auth: L-rC43698s3NGK1YyjqnfIIaMv4 Message-ID: Subject: Re: [gentoo-dev] About changing security policy to unCC maintainers when their are not needed From: Ben de Groot To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: 046ddfc5-051e-48b3-8aac-5c5f401e2b20 X-Archives-Hash: 81b907a378537b6a96c50c33eda50c21 On 13 September 2012 09:43, Jeroen Roovers wrote: > On Wed, 12 Sep 2012 20:53:20 +0200 > Pacho Ramos wrote: > >> > You can un-CC yourself. I don't see why security@ should be doing >> > the legwork. >> >> It shouldn't be so hard to do, they can do it just when they CC >> arches, instead of relaying some random team member to do it himself >> once a useless message is received > > It does become a chore when you have to check a list to match various > CC'd people's preferences and decide whether to un-CC them based on > that, the way they were CC'd (did they do it themselves, were they CC'd > by security, and so on) and perhaps some other factors someone will no > doubt soon propose in this thread. > > Basically you are saying, "why doesn't anyone else do my volunteer work > for me". > > > jer > I don't mind getting the odd security bug mail. It's relatively low volume, and I like to know what's happening to packages I maintain. What irks me much more is that it can take half an eternity for security bugs to get addressed properly. Especially minor arches can stretch out the stabilization process for months or years. Recently we (Qt team) had to push really hard and "punish" lagging minor arches with hard-masking Qt libs and all reverse dependencies in order to get an ancient version with several open security bugs removed from the tree (because they hadn't keyworded/stabilized newer versions and were unresponsive to our requests). I think we should adopt a policy that we set a hard limit of 3 months in which arches can address stabilization requests before we just drop keywords. Even that is in my opinion an awfully long time to leave vulnerable versions in the tree. -- Cheers, Ben | yngwin Gentoo developer Gentoo Qt project lead, Gentoo Wiki admin