> > > c. Get some specific people to volunteer to review patches in security > > repo regularly - how? Any takers? > > > OFC it'd be ideal to have some karma holders to participate. And another > option, which is IMHO eligible - we could invite several reporters. There > is already a couple of people, who regularly report security issues and > keep them confident until they're publicly disclosed. IMHO it is a good > base for trust. >
Yes, in the end this is about getting Stas some help here. He has been doing an incredible job for years now handling all these annoying off-by-one and >2gb string bugs. I occasionally read through the patches, but I haven't been doing it consistently and even though there are a few other people on security@ who occasionally look through the patches, it obviously isn't enough. As a first step perhaps we just need to expand security@ a bit with the specific call for volunteers to help review security patches? -Rasmus
