Petteri Räty wrote:
If you can't manage weekly commits, you can't respond to security issues either.
I can see your point, I was more thinking about developers who have maybe one or two small packages that don't have many version bumps or bugs. They may be entirely able to respond to security issues, but may not have reason to make the weekly commit quota. I don't know the habits of developers well enough to know if this is a reasonable scenario?
I was under the impression that if a dev couldn't respond quickly enough to a security issue, the security team could take steps (mask the package, try to fix it) to ensure the package doesn't pose a problem (as is presumably the case now with devs who forget to mark themselves as away). Depending on the actions you envisaged (sending a warning email, marking as away or retiring) this could create a lot of extra work for little benefit. If it was simply a warning email it might not be very pointful, but marking them as away then it sounds like it could be useful and automated... 5:)
Mike 5:) -- gentoo-dev@lists.gentoo.org mailing list
