Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: g

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: g

From:	Leo Famulari
Subject:	Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?
Date:	Tue, 16 Mar 2021 18:03:30 -0400

On Tue, Mar 16, 2021 at 10:46:11PM +0100, Bengt Richter wrote:
> Just wish I could type
>     guix --what-and-who-am-I-trusting-q --full-report
> and get a complete list, with batting averages of the
> developers (regressions vs fixes), packages (estimated
> number of times executed without problem, dangerous bugs
> in development history, etc).

Leaving aside the rest of your suggestion, which has merit, I strongly
object to ranking Guix contributors in that way. Most of us feel bad
enough about our mistakes without some kind of public scoreboard.

In general, as the person who was the de facto security team leader for
several years, I feel that such a position should be supported in a
material way.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?, (continued)

Prev by Date: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?
Next by Date: Re: [opinion] CVE-patching is not sufficient for package security patching
Previous by thread: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?
Next by thread: Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates?
Index(es):
- Date
- Thread