Re: [all candidates] Advertising testing and security support

[Gergely Nagy <algernon@madhouse-project.org>]

Jérémy Bobbio <lunar@debian.org> writes:

> Dear candidates, do you think it would be wise to advertise `testing` as
> a usable distribution to our users given that state of affairs? Given
> that our security support for stable is already not as best as it could
> be, do you think we should encourage volunteers to be more active in
> security support for testing?

First of all, our security team is doing an excellent job, considering
the amount of work required and how few people they are, their response
time and the quality of work they do is very high. Could it be improved?
Yes, of course. With enough manpower at our disposal, we could
pro-actively search for and find security issues! But we're nowhere near
that, nor should we be, I believe.

As for advertising testing: for some uses, we should, yes. But without
security updates managed by the security team, those uses are fairly
limited, and the consequences must be kept in mind. This makes it hard
to make a good case for testing.

If we'd have enough manpower to handle security updates for testing
aswell (either via unstable, or through other channels), that would help
tremendously. Not only our users, but our maintainers would have it
slightly easier too. Therefore, I find it a commendable task to
encourage volunteers to work on security support (be that for stable,
testing or otherwise).

> Do you have ideas on how to attract more volunteers to the dull, hard,
> and sometimes boring tasks of taking care of security issues in
> Debian?

Realizing that the task is neither dull nor boring would be one step. It
is hard quite often, though.

I do have a couple of ideas (shamelessly borrowed from my former boss,
who convinced me to work at the support department instead of
development), but these may present more problems than what it solves,
at least initially.

You see, preparing security releases is a complicated task, one that
requires a good knowledge in a number of areas: packaging, security, a
multitude of languages, upgrade paths, and so on and so forth. It
requires a particularly diverse set of skill. That is also that makes it
so very interesting (even entertaining, in some respects). There aren't
many people who have the diverse knowledge required, and even less who
are willing to sacrifice their time to do work that's mostly invisible.

To attract more people for the task, we first need to recognise the
importance of it, we need to be *proud* of the people who are already
doing it. And then, we can encourage volunteers to help out, and
existing members to mentor them. One of the hardest parts is this, the
mentoring part (due to time constraints and an already high load, just
to name two issues), but perhaps we could persuade former members of the
security team to take on this role?

If one can learn a lot about software and security, when there's someone
else to mentor, that makes it - in my experience - a lot more appealing
to volunteer, than being thrown into high waters, and hoping one can
swim. Having a very, very diverse set of skills can also help one at his
or her day job (it certainly helped me), so being part of the security
team is easily a good way to further advance one's own career.

-- 
|8]