Rick a very good message (and well thought out). On 3/13/17 4:33 PM, Rich Freeman wrote: > On Mon, Mar 13, 2017 at 3:28 PM, Thomas Deutschmann <whi...@gentoo.org> wrote: > > The two areas that I see as possibly pushing security towards being a > special project are: > 1. Masking or otherwise directly touching packages without waiting > for the maintainer if the timeline passes.
Security team does not like doing this since we do not know the internal workings of packages. But sometimes it is very much needed, remember "heartblead?". The notification came to our points of contact (Alex (a3li) and Tobias (keytoaster)), a private security bug was filed with normal rating since the release was within our time-lines. Then in a few hours the security team decided to release it. Well I remember all hell breaking loose, and at that point direct involvement was involved. For that reason for something like this I think we need a GLEP for. Not to use every day, but lets call it "Emergency Power" that shall NOT be abused. > 2. Being able to represent Gentoo on special security mailing lists > that have tight distribution. (If somebody betrays this trust Gentoo > could find itself cut off from all such lists, so Gentoo should use > care here.) This is very important. Pre-Notification is on a case by case basis. While we can define point of contacts, it is also important as a reputation for Gentoo. Lets say we want to become a CNA, just like other distributions (Debian, Red Hat, SUSE, Ubuntu) we need a person that would be responsible for coordinating the information and the appropriate paperwork and coordinate with Council or Foundation as needed. This can not be a free for all. > I'll finally note that there is also a possible compromise. We might > make security somewhat special, but decide that its powers aren't that > important and so let it self-govern without forced Council > interaction. Even so we should probably create some avenue for appeal > so that the next time an argument comes up over whether long-term > masks vs overlays are the right solution people feel like they had > input into the decision. I think that it is not a power thing but more of a responsibility and accountability that is being defined. There is nothing about Governance by the council when I read the GLEP. The only thing is the confirmation by the Council since they are Privy to a lot more information then all the isolated Teams are, and can prevent problems ahead of time. The GLEP is a draft also and I have already proposed some changes to Kristian about some wording. The idea here is that it is not someone taking away power, but just continuing what we have been doing in Security for years and just formulating some of the processes by the GLEP. We have always had leads that received notifications, communicated on behalf of the team, settled problems, etc. We have always discussed and provided opinions on changes and no one was dictated something before discussion (Unless Security Policy specific).
signature.asc
Description: OpenPGP digital signature