Security Working Group - Wednesday May 12 - results

[Andrew Jeffery]

On Sat, 15 May 2021, at 04:32, Joseph Reynolds wrote:

> In general, it is hard to know who to contact.  

I think it deserves some effort, no? Talking in abstractions doesn't 
help as we're not discussing the abstract but specific patches, some of 
which you've left a comment against.

Equivalently, saying "In general, it is hard to build secure systems" 
and then not putting in any further effort as a consequence isn't 
acceptable - we need to do the work; narrow the statement from the 
abstract to the specific do our best to mitigate risks. That same 
strategy of narrowing the abstract to the specific applies here.

Given you've already commented on one of the patches I don't think it's 
a big leap to look at who the author is and include them on related 
discussions in other mediums.

So anyway, I think this open source process works best if we recognise 
that resolving issues requires bringing people together, and not 
treating the work as some kind of abstract process. I feel like 
broadcasting (1-to-many) the minutes here without including the people 
impacted by the discussion creates a separation. Let's put the effort 
in to bring the right people into discussions from the outset.

> Note 
> that I am following up on this item privately through other channels. 

Okay, hopefully I'm included on those discussions too.
 
> Finally, during the meeting, I encouraged attendees to make comments in 
> the relevant gerrit review process.

Great! I hope we can capture the concrete concerns in the patch 
comments and work to resolve them.

Andrew