On 13 September 2012 09:43, Jeroen Roovers <j...@gentoo.org> wrote: > On Wed, 12 Sep 2012 20:53:20 +0200 > Pacho Ramos <pa...@gentoo.org> wrote: > >> > You can un-CC yourself. I don't see why security@ should be doing >> > the legwork. >> >> It shouldn't be so hard to do, they can do it just when they CC >> arches, instead of relaying some random team member to do it himself >> once a useless message is received > > It does become a chore when you have to check a list to match various > CC'd people's preferences and decide whether to un-CC them based on > that, the way they were CC'd (did they do it themselves, were they CC'd > by security, and so on) and perhaps some other factors someone will no > doubt soon propose in this thread. > > Basically you are saying, "why doesn't anyone else do my volunteer work > for me". > > > jer >
I don't mind getting the odd security bug mail. It's relatively low volume, and I like to know what's happening to packages I maintain. What irks me much more is that it can take half an eternity for security bugs to get addressed properly. Especially minor arches can stretch out the stabilization process for months or years. Recently we (Qt team) had to push really hard and "punish" lagging minor arches with hard-masking Qt libs and all reverse dependencies in order to get an ancient version with several open security bugs removed from the tree (because they hadn't keyworded/stabilized newer versions and were unresponsive to our requests). I think we should adopt a policy that we set a hard limit of 3 months in which arches can address stabilization requests before we just drop keywords. Even that is in my opinion an awfully long time to leave vulnerable versions in the tree. -- Cheers, Ben | yngwin Gentoo developer Gentoo Qt project lead, Gentoo Wiki admin
