Developing a security Bat Signal?

Matthew Miller mattdm at fedoraproject.org
Thu Apr 10 13:44:45 UTC 2014 

On Wed, Apr 09, 2014 at 12:54:38PM +0000, "Jóhann B. Guðmundsson" wrote:
> >I would say the_exact opposite_. We need to emphasize building those test
> >cases so they are there when needed.
> I agree with you but...
> Few years back I initiated effort trying to improve reporting and
> testing and general efficiently and communication between reporters
> and maintainers and actually put some value in the karma process (
> have reporters actually go through some testing process not just
> fire up the app and give it karma based on just that ).

Yeah. This is a hard problem. It's hard to get maintainers to do more work,
and basically impossible to *mandate* that volunteers do anything. I know
you are familiar with that :).

The package review process is already very heavyweight, and I don't think we
can accomplish anything by adding more to it. We should try to find other
points where we can make maintainers aware of the importance and benefits of
setting these test cases up in advance, and encourage/motivate/reward them
for doing so.

I'm not sure if it helps to make this part of the "bat-signal" idea, but I'm
certainly interested in supporting it however I can. The easier we can make
it, the better. And the more *visible* we can make it, the better. I think a
lot of package maintainers aren't even aware. Maybe there is something that
can be done with the taskotron work. I had some ideas on this last month
<https://lists.fedoraproject.org/pipermail/devel/2014-January/194856.html>.
I didn't really follow up, but it's still on my mind and I'd love more
ideas, action, whatever.


> Now I want you to bear the above in mind that everytime that you
> make decisions in any governing body in Fedora that is responsible
> for making system wide decisions and you serve on, the devastation
> the outcome of your vote can lead to and make life more difficult
> for others in various service sub-community and the project
> workflows and result in lower quality of our distribution hence I
> ask of you to always thoroughly familiarise yourself with the topic
> at hand and what the outcome of it will be in the long run before
> casting your vote on it.

I certainly do try to put exactly this thought into all of the decisions and
votes I make. And I think everyone in FESCo and other Fedora leadership
positions takes their role seriously as well. We are all human and sometimes
make mistakes, or make judgments without realizing some detail we should
have, but when there are real problems, we can always revisit. Sometimes it
is a painful process and not as fast as everyone would like, or not as
careful as others would, and not everything that should get done gets done
as quickly as would be ideal, but on the whole, I think we work things out
pretty well (*points to
quote in signature*).

-- 
Matthew Miller    --   Fedora Project    --    <mattdm at fedoraproject.org>
                                  "Tepid change for the somewhat better!"

More information about the security mailing list