On 15/03/10 22:34, Xavier Chantry wrote: > On Mon, Mar 15, 2010 at 11:18 PM, Magnus Therning <mag...@therning.org> wrote: >> After a quick look at it I don't see much that would apply though. Arch >> doesn't have releases. Arch follows upstream releases very closes (in some >> cases even too closely ;-) >> >> So, if there is no need for backporting to a set of packages that has been >> blessed into a supported release, what is left to do for a dedicated security >> team? >> > > 1) what allan said : > A group could monitor security issues and file bugs to get the devs to > fix them.
Is there any evidence that this is actually needed? My impression is that maintainers already are monitoring upstream releases. When they are lagging, there are users who mark things out-of-date. The occasional non-maintainer upload doesn't seem to warrant a dedicated team. > 2) resume and finish the gpg work for pacman & friends Sure, that is worth doing. Is it really a task for a dedicated security team? It sounds more like a one-time thing for a group of developers. Please do note that I'm more than willing to be convinced. /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus identi.ca|twitter: magthe
signature.asc
Description: OpenPGP digital signature
