On 2017-03-12 00:54, Kristian Fiskerstrand wrote: >> 1. From this proposal it looks like the Security Project Lead >> obtains a lot of power and a lot of responsibility, maybe too much >> for a single person to handle. >> >> While the Deputy may be assigned, this still gives all power to >> single hands. Maybe it will be better to establish something like >> the Security Project Council (SPC)? E.g. three project members may >> be elected to this SPC, so that all serious decisions will require >> some team agreement from at least 2 SPC members. This way the >> Deputy will not be needed as well. >> > The thinking here is that the project lead is the responsible party. Any > ambiguity can still be escalated to the Gentoo Council, but someone > needs to be responsible from the side of the Gentoo Security Project.
I completely disagree with that. The whole powerful lead/deputy thing is going in the wrong direction. We don't need that. Security project is nothing special and doesn't need a strong lead with such a power to rule the entire Gentoo project. In general, every full member in the project should be equal. So I would list them all as confidential contact for example. This would lower the chance to compromise a member because an attacker wouldn't know who will get contacted. If we would only have one contact (like the lead) this would be a high-value target. Because the security project has some inactive/dev away members the team maybe want to select some main contacts instead. But this is up to the team/project and doesn't belong in any GLEP. -- Regards, Thomas
signature.asc
Description: OpenPGP digital signature
