Lloyd Dewolf wrote: > On Thu, Nov 24, 2011 at 7:30 AM, Thierry Carrez <[email protected]> wrote: >> I want to turn the question around: why do *you* want more ? > I don't think you are implying it, but just to snuff out any though. > I'm completely comfortable speaking for Piston Cloud that if by some > craziness adjusting this policy to better serve the project required > that Piston Cloud *never* was a member of the vulnerabiliity group I'm > certain I can get sign off on that.
I'm not implying anything. My question is why do you want more. Why is 3 not enough. From the rest of your (long) reply I suspect that you want more in order to have immediate, 24x7 coverage of security issues reported in openstack software. > I feel like you might have accidently skipped in your quoting at least > one of my question. What is the successful three person, email-based, > implimentation this is based on? It's based on my own experience managing a Linux distribution security team that used to have some success (http://www.gentoo.org/security/en/index.xml). And on that case the minimum necessary number was actually (and still is) 2 people. > [...] > The process to come up with this list might look like: > 1. Revisit who are the top candidate volunteers2. Put their "usual" > work day on a calendar including *weekends*. No healthy person works > the same 8hrs seven days a week, so no one better claim they do ;-) > 2.a Only allow each candidate volunteer to identify 8hrs per day. > > Come up with the minimum list with density of at least three at each hour. I agree with you that such coverage requires way more than 3 people. Nobody in the current vulnerability management team is covering weekends. We rely on core project developers to implement and review the fixes, and those people don't work on weekends either. We coordinate the critical fixes and disclosure with multiple downstream distributions, which takes days -- and those don't work on weekends either. My understanding is that you find the current team setup not good enough. I suggest you come up with a new improved proposal, together with the resources that would make it happen. I'm perfectly fine to let my amateur community-based team be taken over by professionals, if that's the wish of the PPB. Doing this was never part of my job description. The setup we proposed was (1) to have something (one month ago, we had *nothing*) and (2) to be realistic in relation with the rest of our current development processes (what's the point in covering weekends if you have to wait for week days to produce a fix or coordinate the disclosure). -- Thierry Carrez (ttx) Release Manager, OpenStack _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
