Re: [all candidates] Advertising testing and security support

To: <debian-vote@lists.debian.org>
Subject: Re: [all candidates] Advertising testing and security support
From: Moray Allan <moray@sermisy.org>
Date: Thu, 28 Mar 2013 17:39:30 -0600
Message-id: <[🔎] 1d80ba81653598f2605978ba173c14c8@www.morayallan.com>
In-reply-to: <[🔎] 20130319225257.GB6028@loar>
References: <[🔎] 20130319225257.GB6028@loar>

On 2013-03-19 16:52, Jérémy Bobbio wrote:

Even if a dedicated team is supposed to care about security in
testing [1], the dedicated mailing-list [2] has not seen anannouncement
since February 2011.

Debian Security Advisories don't only comment on the stable for stable-- looking through recent DSAs, most of the time a fix has been readyfor testing as well as stable.

Dear candidates, do you think it would be wise to advertise `testing`as
a usable distribution to our users given that state of affairs?

I am already happy to advertise testing to large categories of users,so yes, as long as the reasons to choose this option compared to stable,and reasons to avoid it, are made clear.

Are you only talking about increasing "official" mention of testing asan option, or do you think that individual people don't feel they arewelcome to advertise testing? (If so, why do you think they don't?)

Given
that our security support for stable is already not as best as itcould
be, do you think we should encourage volunteers to be more active in
security support for testing?

From our current starting point, I don't see that encouraging more useof testing would be likely to harm stable security support. I amslightly worried that if we had a popular rolling release different fromcurrent testing it might indirectly harm the quality of the stablereleases, but I still wouldn't see that as a reason to try to discouragepeople working on things they want.

Do you have ideas on how to attract more
volunteers to the dull, hard, and sometimes boring tasks of takingcare
of security issues in Debian?

It's not clear to me why you seem to think that dealing with securityissues is more dull/boring than general package maintenance! Locatingsecurity issues may sometimes be challenging, but can be quite fun; theprospect of early access to embargoed information can attract somepeople; and working across the whole distribution should be morevaried/interesting than working on individual packages. Perhaps part ofthe way to attract more people could be to look for them whileemphasising these positive aspects? I equally don't think we shouldassume that something being hard will in itself discourage volunteers.

In practical terms I don't see any difference from how to get morevolunteers for anything in Debian: those currently involved and othersinterested in the topic should provide clear documentation (includinge.g. wiki pages with current status and things people could work on),advertise what's happening and the desire for volunteers on the mailinglists, and reach out to people working on related topics for ideas andpossible direct help.


--
Moray

Reply to:

References:
- [all candidates] Advertising testing and security support
  - From: Jérémy Bobbio <lunar@debian.org>

Prev by Date: Re: [all candidates] Removing or limiting DD rights?
Next by Date: Re: Debian for third party (read: propietary) apps/vendors
Previous by thread: Re: [all candidates] Advertising testing and security support
Next by thread: Re: [all candidates] Advertising testing and security support
Index(es):
- Date
- Thread