On 7/6/16 8:11 AM, Rich Freeman wrote: > Like I said, one mistake doesn't make a trend, and we shouldn't > over-react to a mistake. However, the way to handle a mistake is for > everybody to say "this was a mistake," not "you're the only person who > has a problem with this." Let's just fix whatever broke (if it isn't > already fixed) and move on. We don't need to defend mistakes.
+1 So what we don't want happening again moving forward is where a developer (me in this case) thinks he's provided the information needed for security, then the bug goes dormant 3 years, and then out of the blue a p.mask with 30 days notice until removal. Especially if it the security issue is minor. The security@g.o list has 500+ open bugs going back years. We don't want this uncertainty to loom over all developers heads. A reasonable policy here would help create clear expectations for security and other developers. I don't think I need to add more to this since K_F appears to be working on something that will address this. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA