From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id yC1QGWMrUWA2AgAA0tVLHw (envelope-from ) for ; Tue, 16 Mar 2021 22:04:19 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id wJcfFWMrUWA2GgAA1q6Kng (envelope-from ) for ; Tue, 16 Mar 2021 22:04:19 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E2F511463E for ; Tue, 16 Mar 2021 23:04:18 +0100 (CET) Received: from localhost ([::1]:34650 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMHnV-0003D1-Ab for larch@yhetil.org; Tue, 16 Mar 2021 18:04:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40004) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMHmu-0002s2-BQ for guix-devel@gnu.org; Tue, 16 Mar 2021 18:03:41 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:41999) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMHmq-0000el-Te for guix-devel@gnu.org; Tue, 16 Mar 2021 18:03:40 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 5228E5C012E; Tue, 16 Mar 2021 18:03:36 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 16 Mar 2021 18:03:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=MPE72wyxdUFWz2JSysuJEdWm 8QBFvNNdFmG1FLwXa34=; b=tg4/pQGvFUXIk9oH+plc7rFkrX5v+gM98goA5PUB NgFScUXNher/9KNzFNQWdTseMzmyj7zLrsMnsjIvbVv1EnIKlNA0gkM7zbfrKvuR VfS96japgpqLcxmFubgI0zkciaDCGGrcBhKuWPYIOv8oLbsaor8IEAhHnGmH4qzj Lbc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=MPE72w yxdUFWz2JSysuJEdWm8QBFvNNdFmG1FLwXa34=; b=I6aY0eop4vlTCQERJ2uZZ6 Ed4JaaWnD66YaAnVwdyFWLNDU+2ExmS834mOJwUWa0CNoDGerTFmIYyQAVgjpCT0 gQx9JMGrVH+qQEb+R2ETBnDusuD43ANiASiWwGuymK8bb0UHwwo9EeVtUAh+FyfB WXl8lx2GSvEcr1sWAfj0XVK9CV3LMxvpsPr0Aw03rwlUw7zt3buNG0tm7VXEu//N 0RfST7q3VTLNcsBDJUfnunKY7CVgnIvV9fZTwdSC66Koc1M+MQql4yjRFA9Js8W1 KW1F/0/2bqMTJpd2Eve/plTj6Ne8rgmfzGLdH9ATcYE30bOu3jhwkyl0FbXoVzbQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudefvddgudehkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhepueekkedtffdvtddugeejgedtvefhueefiedvjeeitdeigedtveejvdejheff vefgnecukfhppedutddtrdduuddrudeiledruddukeenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id BE03A24005C; Tue, 16 Mar 2021 18:03:35 -0400 (EDT) Date: Tue, 16 Mar 2021 18:03:30 -0400 From: Leo Famulari To: Bengt Richter Subject: Re: Security-czar needed? WAS: Re: Release 1.2.1: zstd 1.4.4 -> 1.4.9: grafting or core-updates? Message-ID: References: <91998d12df3c4a279f46cf50b15d47c99e064a46.camel@zaclys.net> <20210316214611.GA17584@LionPure> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210316214611.GA17584@LionPure> Received-SPF: pass client-ip=66.111.4.29; envelope-from=leo@famulari.name; helo=out5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615932259; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=MPE72wyxdUFWz2JSysuJEdWm8QBFvNNdFmG1FLwXa34=; b=ToJMlxuRJhy/DwyLp7SQ1EGJFMe/n90GNF1C9A7tC8qum72K2eUbwqpb0Q4vY0X3ErU2V+ ONaqOIV9e2XLh0oxJ4QCmcdB88wc9ZB14uUZWwfnN2cJCXlO4mXO7sj2o0BAtPPOlpYGFR 3lyTYHqWmuZ/Ygzg00bHb/CzpABZtKoDY/T0iKqyWYZlCVMj+IGDF3ubcvlmx7wrkStFOB DpxcMqk6h64mm8k7bBPZHM6jD9XzRY5XvyzY0A4csPARdRwmISBkJds0uTOkfRTcAkEDJa fKxB7Q+C7d0+EQOPxuprdOeYcCtgbviZIe0EEPszqxB9U2C7THAYlDfRODgyIQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615932259; a=rsa-sha256; cv=none; b=DVuo5NP+17yJnyl5WHdJhmr1/+scAI4Y6nZ+HkiGE4MXTOimvjVHfmIoerbFe9lkGMMYyP xhNsa9sNebAazgGWAzQEmBasUAd/gXTbM/QC9XypwPo/cNfjYzl2FYeN7fCamtwDzTJfDI IZri35TZ1sqhCsGNuvQJpSiS3QDvBNJ9NkW0X3fzTxCHiVmRlvH1OwuVh4oP5WqaMdnOFf qoBoqHx5/CMCPVAItBeLMl0Y8OS6i18V4E0ewmfzMRIZ/IblRUK4+Pq59+18nh1m+zHr/X yenF1kIz62AV1068aoBIocUkcH4I5n7GAvRRNR/0cZYn9cRmJSvExkDIdosoqg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="tg4/pQGv"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=I6aY0eop; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -0.40 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="tg4/pQGv"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=I6aY0eop; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: E2F511463E X-Spam-Score: -0.40 X-Migadu-Scanner: scn0.migadu.com X-TUID: JsU3BugcVZWF On Tue, Mar 16, 2021 at 10:46:11PM +0100, Bengt Richter wrote: > Just wish I could type > guix --what-and-who-am-I-trusting-q --full-report > and get a complete list, with batting averages of the > developers (regressions vs fixes), packages (estimated > number of times executed without problem, dangerous bugs > in development history, etc). Leaving aside the rest of your suggestion, which has merit, I strongly object to ranking Guix contributors in that way. Most of us feel bad enough about our mistakes without some kind of public scoreboard. In general, as the person who was the de facto security team leader for several years, I feel that such a position should be supported in a material way.