On 07/06/2016 10:04 AM, Anthony G. Basile wrote: > Having people review your work is a good idea, no? So in cases where > security wants to touch a packages, why not ping the maintainer first > and in case of a dispute or no response, escalate the issue to QA who > will review the problem and act. > > Are you okay with this change in procedure?
It really depends on the severity of the security issue and QA response time. In general it seems like additional complexity, and the use of package masks are rare in general (and questionable in the specific context being discussed, so generalizing from that is bad form) If a bug should not be a security bug, why not mention as much in the bug report? I'm looking at 459274 and there is no maintainer response to it in more than 3 years. For 473770 there is no mention of which package it is fixed in, and generally bad tracking that even includes a move to github losing old references and a "I can't reproduce this" concluding it is fixed for all systems. In areas like this maintainers are the ones that needs to track upstream development of packages, and point out which released versions contains fixes or which patched version downstream does. Security can't in any case keep track of all packages in tree, in particular with the low bar there seems to be for adding new ones. That said, the reason the mask is questionable in this case is the low severity of the bug, but that isn't a general case. If council approval of special projects as lead is an important factor, maybe we should rather also approve security leads? -- Kristian Fiskerstrand OpenPGP certificate reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature
