On 3/13/17 3:10 PM, Thomas Deutschmann wrote:
> I completely disagree with that. > > The whole powerful lead/deputy thing is going in the wrong direction. > > We don't need that. Security project is nothing special and doesn't need > a strong lead with such a power to rule the entire Gentoo project. > > In general, every full member in the project should be equal. So I would > list them all as confidential contact for example. This would lower the > chance to compromise a member because an attacker wouldn't know who will > get contacted. If we would only have one contact (like the lead) this > would be a high-value target. That is not possible (every full member as a confidential contact). This is not something that is allowed by the upstream early notification teams. We have tried using a mailing list and only very few would accept that. Also this is important for point of contacts as well. Once the confidential contacts receive the email they put in to bugzilla and make it security bug at that point everyone sees it. > Because the security project has some inactive/dev away members the team > maybe want to select some main contacts instead. But this is up to the > team/project and doesn't belong in any GLEP. That is the whole point of elections, if the lead is away then the deputy takes over the role. If the deputy can not do the job for some reason then they can be changed to another deputy. There is no problems with that, the deputy role being a non-elected role.
signature.asc
Description: OpenPGP digital signature
