>>>>> "JB" == Josh Bressers <bressers@xxxxxxxxxx> writes: JB> I've looked that document over in the past. I admit the times at JB> the end chart scare me. I agree. The idea was to have a few guidelines so that we weren't accused of being arbitrary, but it sort of grew beyond reason. Anyway, it's just a draft. JB> Critical: Don't bother waiting for the maintainer, do whatever it JB> takes to fix it. That's a huge amount of power to grant a security team for a project like Extras. But also, it would imply certain things about the Extras security team that we don't really want to imply. Most importantly, we don't want anyone getting the idea that it is our job to fix security problems. It's not; that falls to the maintainer. The security team exists (or would exist, under the current proposal) to assist maintainers and only to step in an emergency when the maintainer is inactive or if the maintainer requests assistance. That's why we propose waiting a minimum of 24 hours before waiting to hear from a maintainer. Sure, if we have a patch we'd attach it to the bug, just the same as anyone else could. But we wouldn't actualy step in and do anything until the prescribed waiting period was up. - J<
