On Jan 18, 2008, at 8:44 PM, David Metzler wrote:
Thanks for the willingess to consider changes.
Gladly.
I'd agree in starting small.
Completely. These grand plan threads always turn into lists of issues, and often just implementing the first few go a long way in fixing the problem.
Having an issue queue where code could be posted shared and tested does go a long way to alleviating my concerns. I could probably get by with the testing of an applied patch, or whole module file.
Great.
We should factor in some way of bringing in the user that reported the problem. Particularly if they are doing so because they've been exploited. This has never happened to me yet, but seems like the prudent thing to do. I'm sure accommodations for bringing others into the issue queue can be made on a case by case basis at the security teams discretion.
Yup, all good. An obvious solution here is make every project an OG (closed/invite-only), which would solve *lots* of other problems at the same time. I can't wait to do that on d.o itself.
I think I would probably use the custom CVS repository, but I know that I'm different enough in my use of CVS, and deployment strategies, that it may not be worth the effort to develop just for me. Let's wait till we here more requests.
Sounds good.
Thanks again for listening.
Agreed. Thanks, -Derek