[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Stable security support



On Thursday 22 December 2005 09.59, Anthony Towns wrote:
> On Thu, Dec 22, 2005 at 08:54:36AM +0100, Adrian von Bidder wrote:
> > Problem with a GR: it doesn't get any work done.
>
> Right; that's not the intention of the GR though -- the intention is
> to authorise people to do the work. I've done all I feel I'm within my
> rights to (and in fact slightly more than that) in providing access to
> security.d.o to some of the testing-security team. While I could try
> doing more than that, and possibly succeed thanks to my tyranny over
> Unix permissions, I don't particularly want to provide any substance to
> accusations of coups and whatever else.

Ah.  To me, that is quite a bit of the missing piece of information on why 
you feel this GR is needed.  To me the GR sounds very much wishy-washy, 
kind of 'let's appoint some people who might then do some work.'  With what 
you say here, I can see the motivation for this GR.  Also, it becomes 
clearer as it's apparently not clear whether the security team are 
delegates - I assumed they were (and feel they should be).

Maybe - is it time to clear this issue now?
http://people.debian.org/~branden/dpl/reports/2005-07-07.html
branden:
| I have sent the Debian Security Team a proposal for making DPL delegates
| out of its members; 

Whatever became of that?

(Hmmm.  What *is* the curernt status? 
http://lists.debian.org/debian-security/2005/08/msg00226.html only muddies 
the water for me.)

Word from the DPL or SecTeam members would be welcome here - do they operate 
under the assumption that the security team are delegates?

> I don't know if it carries more or less weight having me say it, but
> I think it's entirely appropriate to cut Branden a lot of slack in not
> trying to come in as DPL and "fix" this.

Well, I'm extremely ambivalent on this matter.  I often have the feeling 
that a more vocal DPL could in some instances give the project a clearer 
idea where to go - or, maybe, if the DPL wants to go where others don't 
want, issues would be debated earlier.  OTOH a vocal/active leadership-type 
DPL might meet opposition in the project on unprecedented scale, so maybe 
the Way It's Always Been Done(tm) isn't so bad...

Back to the topic at hand:  Can't Joeyh, Steve and Micah just be added to 
the security team[1] along with Martin (same disclaimer as in your mail: 
assuming they want to) and assume that the security team will work out 
amongst themselves who would continue to care about current stable security 
and who would do the 'redesign the process' part?  Assuming that 'member of 
the security team' does not automatically mean 'does need vendor-sec 
clearance and all kinds of assorted special Debian powers that can't be 
given to some of these people'.  Why just add them to the secteam instead 
of appointing them to a special redesign-the-process team?  Because I feel 
that if ever the result of that work should be useful, it needs to be done 
in close cooperation with the current security team anway.

[1] by GR? By delegation? By invitation from the current secteam?  IMHO 
preferable (ii) or maybe (iii), GR doesn't feel right: if we're going to 
vote on people, we should have proper debates à la DPL vote, but this is 
creating a kind of procedure that seems, to me, much too heavyweight for 
this kind of job.

-- vbi


-- 
1933 wollten viele aus Deutschland raus, heute wollen viele rein. Das
muss doch etwas bedeuten.
		-- Sir Peter Ustinov

Attachment: pgphGM0W8PNu9.pgp
Description: PGP signature


Reply to: