Hi, On Sat, Mar 08, 2014 at 07:36:23PM +0100, Christoph Biedl wrote: > Moritz Muehlenhoff wrote... > > > Security archive > > - ---------------- > > > > * In order to avoid bottlenecks and to open up the security process > > further we're planning to allow maintainers which are not part of > > the security team to release security updates on their own. This > > applies to packages which have frequent vulnerabilities and where > > the maintainers are involved in the update process anyway. > > The current model at least theoretically allows someone (read: the > security team) to review the patch provided by the maintainer. I like > that four-eyes principle and wouldn't want to give it away. > > But perhaps you plan is rather about moving the task of the actual > upload to the maintainer *after* some discussion? Or will you stand > being surprising by an unannounced security upload? (This is none of > my business, I'm just curious.) Disclaimer: there is no actual implementation for this yet, so only a comment on that: The idea is to have something like the DM upload permissions. There are packages which recieve frequent updates trough security, where already now the maintainer is the one doing all the packaging work, has the most knowledge and testing tme, but then the bottleneck to actual release the package is the load/time missing on the team. As Moritz writes, this will apply only to some specific packages. Hope that clarifies, Regards, Salvatore
Attachment:
signature.asc
Description: Digital signature