Eeems
commented
3 years ago No support or security guarantee of any kind is provided for the
testingbranch.
Since we also say this, I don't think we really care to provide an SLA.
Closed matteodelabre closed 3 years ago
Eeems
commented
3 years ago No support or security guarantee of any kind is provided for the
testingbranch.
Since we also say this, I don't think we really care to provide an SLA.
raisjn
commented
3 years ago https://en.wikipedia.org/wiki/Responsible_disclosure - the industry standard is 90 day before disclosing a vulnerability in software, but for package repositories, probably makes sense to look at debian or arch.
https://www.debian.org/security/disclosure-policy https://wiki.archlinux.org/index.php/Arch_Security_Team
debian is few days for initial response, then attempt to get fix in within 2 weeks (depending on severity). not sure what arch is, doesn't look specified.
i think leaving it unspecified is fine.
Eeems
commented
3 years ago We can have an internal target of 2 weeks depending on severity, with a few days to respond.
dixonary
commented
3 years ago I agree with having an internal target rather than something explicit. LGTM.
Who is authorised to merge?
LinusCDE
commented
3 years ago Not sure if we'd even need the email access. I think making the mail forward it to all of us would be fine. Some clubs are probably doing it similarly since responses usually come from their personal (but usually club specific) emails. But the current approach is probably better to keep up authenticity when responding from a random email and preventing duplicate answers.
(Not sure what the state on the mail is, but I have a mailcow mail server that could double for this domain as well and give out domain-admin accounts.)
LinusCDE
commented
3 years ago I agree with having an internal target rather than something explicit. LGTM.
Who is authorised to merge?
Usually the person who started a PR also merges it. If you're okay with it, it would be cool if you can review it.
Eeems
commented
3 years ago I agree with having an internal target rather than something explicit. LGTM.
Who is authorised to merge?
@dixonary I think we are just waiting on you to approve the PR and we can merge.
matteodelabre
commented
3 years ago We just need your review before we can merge this @dixonary. Thanks!
matteodelabre
commented
3 years ago Thanks!
I’m going to give access to the email to the maintainers, as with #12.
The current wording only says “as soon as possible”. What’s your opinion on this? I think we don’t really have the resources available to provide a SLA.