On 13/10/2018 00:02, Takashi Iwai wrote:
On Fri, 12 Oct 2018 15:20:56 +0200, Wolfgang Rosenauer wrote:
Hi Takashi,
talking about only mercurial here.
Am 12.10.18 um 15:15 schrieb Takashi Iwai:
due to the lack of time, I'd like to give away my maintainership of two packages: git and mercurial. More strictly speaking, it's about "Bugowner" field that needs to be re-assigned.
Since both are commonly used programs, I hope someone will take over it and I can avoid submitting deletereq for them :)
I'm a bit surprised:
wolfi@Hygiea:~> osc maintainer -e mercurial Defined in package: devel:tools:scm/mercurial bugowner of mercurial : wolfgang@rosenauer.org, tiwai@suse.com
maintainer of mercurial : wolfgang@rosenauer.org, tiwai@suse.com, develop7@develop7.info
The package is actually well maintained AFAICT. develop7 is very quick in getting new versions in and I also care. It's true that for maintenance requests (aka security fixes) it mainly fell back to you. Not sure if that is because you were faster in reacting or you carry a suse.com address and the security people consider this primary above a community contributor?
I don't think we have any big issue regarding the develproject itself. We can take the latest-and-greatest version if any security problem comes up, and that's easy. It's all for TW. And we are lucky that there are multiple great people contributing to these packages.
So, I think I can just step down from devel:tools:scm/mercurial. But, as you stated, it comes to an interesting question when the topic is about security, especially for Leap (that is actually SLE).
In general, the security issues are shared only among limited people at an initial state. That's the reason SUSE people may get information earlier (and hence often responsible to react earlier, too).
How can it be communicated with the external community maintainer? I don't know -- it's a question to security team, I suppose.
If the package is part of SLE releases then it must have a maintainer / bugowner inside SUSE that is responsible for fixing security issues and L3 customer issues raised in SLE. That person must also be one of the bugowners / maintainers in obs so they can submit maintenance fixes from the community into SLE then Leap. As you seem to be the maintainer inside SUSE you actually need to speak to the maintenance team inside SUSE and find a new maintainer inside SUSE, they can then be set as the bugowner alongside Wolfgang in obs to deal with those issues. As a side note there is a number of packages where the system I described above is not happening. Hopefully we will get those fixed soon. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B