Extras Security Policy

[Jeff Spaleta]

On 9/8/05, Warren Togami <wtogami at redhat.com> wrote:
> but security is *hard* for volunteers to do.  Nobody is accountable
> because it isn't their job responsibility.  Volunteers generally do the
> "fun" things first, and sometimes one-time harder problems.  This does
> not describe what it takes to maintain eternal vigilance necessary of
> people focused on security in the long-term.  I am talking here of
> realistic expectations of volunteer capability.

Fighting fires and saving lives are hard things..we have volunteer
fire fighting departments all over this country. What we need isn't so
much instant security experts..what we need is a way to "train" people
who are willing to becomes those experts. There are many brick and
mortar examples of taking inexperienced volunteers and investing
knowledge and time into molding them so they can performance a
specific critical function well.  Part of the payoff for the volunteer
is the self-development aspect of being trained and learning new and
valuable skills. But the managing entity has to do a good job of
defining the role, the responsbilities and providing the training. 
Yes... this is going to be a resource outlay...there is no way around
it. Creating valuable critical need human capital requires some
resource investment.
I'll bring up the general conversation about volunteer training again
once the foundation lands.  I'd personally donate money to the
foundation specifically to create a volunteer self-development program
to meet critical needs. In fact.. I promise.. the next time I go to
Atlantic City..I will donate all my blackjack profits to the
Foundation.


> There are things that we can do like improve the package review
> guidelines for security aspects like you suggested.  This is a good
> first step, because it means everyone in a little way is responsible for
> security.  "Many eyes."

Besides many eyes.... would it help to attempt to toolize more of the policy?

-jef