On 05/27/2015 08:57 PM, Matthew Miller wrote:
On Wed, May 27, 2015 at 08:43:14PM -0400, David A. Cafaro wrote:
> True, but how long do we wait from first contact on a security ticket
> before we start the non-responsive policy? 3 pings on a ticket? 1
> month after first ping on a ticket? That's the policy we need to set to
> trigger a start of the non-responsive package maintainer process.
If there's an immediate security issue in a case like this, we should
follow the provenpacker process and find someone else to address it.
(And _then_ follow the normal non-responsive process if necessary.)
I'm all for that, so if critical ticket comes in, and we request a patch
against that ticket we give the packager 24-48 hours to respond? No
response we follow the provenpacker process, get it addressed, then the
What about important tickets?
What I'm looking for is just a hard rule on how much time we give a
packager to respond before we work around them. I want these things
fixed, but I also don't want to piss off someone who just happened to be
traveling or something when the ticket came in. If we state clear rules
that we follow then there are less hurt feelings.