On Mon, Mar 15, 2010 at 11:42 PM, Magnus Therning <magnus@xxxxxxxxxxxx> wrote: >> >> 1) what allan said : >> A group could monitor security issues and file bugs to get the devs to >> fix them. > > Is there any evidence that this is actually needed? > No, Allan asked for some numbers, and I am curious too. > My impression is that maintainers already are monitoring upstream releases. > When they are lagging, there are users who mark things out-of-date. The > occasional non-maintainer upload doesn't seem to warrant a dedicated team. > >> 2) resume and finish the gpg work for pacman & friends > > Sure, that is worth doing. Is it really a task for a dedicated security team? > It sounds more like a one-time thing for a group of developers. > This is also true.. more or less. It does not matter how the people doing the work are called. There is no one writing code, no one giving technical advices, no one testing. There are only users asking for signed packages.