Jérémy Bobbio <lu...@debian.org> writes: > Dear candidates, do you think it would be wise to advertise `testing` as > a usable distribution to our users given that state of affairs? Given > that our security support for stable is already not as best as it could > be, do you think we should encourage volunteers to be more active in > security support for testing?
First of all, our security team is doing an excellent job, considering the amount of work required and how few people they are, their response time and the quality of work they do is very high. Could it be improved? Yes, of course. With enough manpower at our disposal, we could pro-actively search for and find security issues! But we're nowhere near that, nor should we be, I believe. As for advertising testing: for some uses, we should, yes. But without security updates managed by the security team, those uses are fairly limited, and the consequences must be kept in mind. This makes it hard to make a good case for testing. If we'd have enough manpower to handle security updates for testing aswell (either via unstable, or through other channels), that would help tremendously. Not only our users, but our maintainers would have it slightly easier too. Therefore, I find it a commendable task to encourage volunteers to work on security support (be that for stable, testing or otherwise). > Do you have ideas on how to attract more volunteers to the dull, hard, > and sometimes boring tasks of taking care of security issues in > Debian? Realizing that the task is neither dull nor boring would be one step. It is hard quite often, though. I do have a couple of ideas (shamelessly borrowed from my former boss, who convinced me to work at the support department instead of development), but these may present more problems than what it solves, at least initially. You see, preparing security releases is a complicated task, one that requires a good knowledge in a number of areas: packaging, security, a multitude of languages, upgrade paths, and so on and so forth. It requires a particularly diverse set of skill. That is also that makes it so very interesting (even entertaining, in some respects). There aren't many people who have the diverse knowledge required, and even less who are willing to sacrifice their time to do work that's mostly invisible. To attract more people for the task, we first need to recognise the importance of it, we need to be *proud* of the people who are already doing it. And then, we can encourage volunteers to help out, and existing members to mentor them. One of the hardest parts is this, the mentoring part (due to time constraints and an already high load, just to name two issues), but perhaps we could persuade former members of the security team to take on this role? If one can learn a lot about software and security, when there's someone else to mentor, that makes it - in my experience - a lot more appealing to volunteer, than being thrown into high waters, and hoping one can swim. Having a very, very diverse set of skills can also help one at his or her day job (it certainly helped me), so being part of the security team is easily a good way to further advance one's own career. -- |8] -- To UNSUBSCRIBE, email to debian-vote-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/878v5e9wh1....@galadriel.madhouse-project.org