[csw-users] Security Vulnerabilities in Samba.
a.cervellin at acm.org
Sat Jul 21 01:16:26 CEST 2007
Jeremiah Johnson wrote:
> As far as automated, just define some rules.
> If a package is not updated in stable in two release cycles (6 months)
> then you could either consider it abandoned, or buggy.
it's not so easy... many, many packages are not updated only 'cause the
projects they belong to are dead.
> You may want to consider implementing a secondary maintainer for
> packages. This secondary maintainer wouldn't be in charge of the
> package, but could assist and should be on any mailing list related to
> the package. If the primary maintainer is too busy, or leaves then
> the secondary maintainer could take over as the new maintainre or
> temporarily until a new maintainer is found. The idea here is to have
> somebody else that knows about the package, so there isn't a loss of
> knowledge when a maintainer is lost.
this adds overhead: the pkgs mainteinance/submission process is already
slow & complex... what we need is a system, as easy and sutomated as
possible, that can determinate if a maintainer is not active and the
updates a page with this alert.
1- an automated email sent monthly to each maintainer: who does not
reply within 3 weeks is flagged by the system as inactive
2- a "ticket" web page which each maintainer must hit at least once a
month: if he doesnt, is flagged by the system as inactive
3- a check on the last ssh login on the blastwave's build machines: who
does not connect for more than 2 months, is flagged by the system as
More information about the users