On Wed, Feb 18, 2004 at 04:54:34PM -0500, Nathanael Nerode wrote: > Anthony Towns wrote: > >On Sat, Feb 14, 2004 at 11:06:39AM -0700, Jamin W. Collins wrote: > >> On Sun, Feb 15, 2004 at 03:28:54AM +1000, Anthony Towns wrote: > >> > It's fine that he feels blocked. I feel blocked from getting testing > >> > working as well as it should because the security team aren't willing > >> > to support it. Every now and then I try to convince them to change > >> > their minds. So far they haven't, and don't look like ever doing so, > >> > but that doesn't make them bad people, and no matter what I want a > >> > difference answer, or how much I might know about their job, they're > >> > the ones in the best position to make that call. And until I do the > >> > job myself or convince someone else to do it, and demonstrate that > >> > it's doable, I've got no cause to expect _any_ assistance from the > >> > security team. > Exactly -- as opposed to the situation with wanna-build, where people offering > buildds have cause to expect assistance from the wanna-build access > controller. *sigh* What makes you think you have any more right to expect help from the buildd maintainers than the release manager has to expect active support from the security team? You know, neither you nor Ingo being developers, there not being a particularly significant long term problem there to address, the security team having access to resources that aren't easily duplicated (the 11 arch restricted-access autobuild network, and early announcements of security issues) unlike the w-b controllers... Whatever it is that's made you think that has misled you. > [..] can offer security updates for their 'testing' packages, and send > them to testing-proposed-updates, correct? [..] > It is also a reasonable way distribute the work. The assurance you need to be able to make is "there are no known security bugs in any of this software"; without centralised tracking of security issues, and a guarantee that people will respond to issues raised in a timely fashion, it's not, IMO, reasonable to recommend testing to users except in very restricted environments. Using t-p-u is entirely possible, but it doesn't really solve the problem. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. Linux.conf.au 2004 -- Because we could. http://conf.linux.org.au/ -- Jan 12-17, 2004
Attachment:
signature.asc
Description: Digital signature