Proposal

[Walter Hop]

> In my opinion this issue couldn't have been handled any better considering what it takes to do the job properly, congrats to the security team from me.
> 
> -Kimmo

Please don’t frame this as criticism of the security people, that’s not fair. Of course we all congratulate them :)

I think we’re just interested in discussing what could be improved to improve response time and also make their lives better.

Do we need moar Jenkins? Extra build boxes? More cash to keep people on retainer? Resources for training new people? Liaisons with other projects to improve prior notification channels? Etc.

FreeBSD ports had a fix after ~4 hours I think, Ubuntu patched their base about an hour later, FreeBSD base took around 24 hours. Not super bad, but I think it’s safe to expect much more scrutiny of security-critical code in the coming years, so it looks like a good time to try to streamline if possible at all.

The public attention for this and similar events may also provide a unique window of opportunity for soliciting extra resources from professional users (e.g. via a Foundation campaign).

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp