On Tue, 22 Jun 2010 13:16:23 +1000 "Allan McRae" <allan@archlinux.org> wrote:
The point is that the developers around here already patch for security issues. The only change that I think that a security team will achieve is to notify me (as a developer) of issues that I have overlooked on the upstream mailing lists and file a bug report. It is a bonus if the issue is pre-analyzed for me and all relevant links supplied so I can assess it quickly myself and release a fixed package if I deem that being suitable.
Allan
This is exactly what we plan to do, with the addition of providing interim PKGBUILDs (with a disclaimer that they are unofficial) and announcements when a security related bug is fixed by a package update. Such interim PKGBUILDs would be peer-reviewed by the Security Team and submitted with the relevant bug report to aid the package maintainer. I can't see how this is not useful. It will also lighten the workloads of the devs and package maintainers. Ananda