On 07/06/2016 10:37 AM, Anthony G. Basile wrote: >> > If council approval of special projects as lead is an important factor, >> > maybe we should rather also approve security leads? >> > > Approving a security lead is not sufficient. QA is governed by GLEP 48. > The very procedure of producing a glep means scrutiny by the community > as to its scope, mandate, procedure and powers. By the security team > simply thinking it has the powers to p.mask and bump packages, its is > essentially circumventing Gentoo governance. If it needs these powers, > it should go through QA.
I'm not aware of any security policy that indicates bumping packages as being a role for security (it really is up to maintainer), but it is an interesting point for p.mask that is part of the written policies of the project. A GLEP for the security project would make a great deal of sense in general and is on overtime. I will stop the discussion of any specifics on that at this point though, as it hasn't been discussed within the project which in any case is a natural first step to things. -- Kristian Fiskerstrand OpenPGP certificate reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature
