If we all take a ML or two, share what we're doing, then we'll divide the labor and be more efficient at keeping Arch secure.
Good idea, I think the best way to manage that is by categories of packages, like language interpreters, frameworks etc. People with good technical level would be able to not only fill bug report about CVE, but write/comment patch, test stuff, speak to upstream etc. I think we should manage to get people dealing with: - perl and associated software - python and associated software - java and associated software - ruby and associated software - Xorg stuff - gtk and associated DE/software - qt and associated DE/software - etc. The job is basically just to follow mailing lists (both development and user), security advisories (if any) and bug trackers on a regular basis. You will quickly learn the different kind of vulnerabilities if you don't know that already. For the languages, I think it's better to be able to deal at both the interpreter level (often written in C) and the language level. And of course, there is enough space for more that one people by category. RbN