[openstack-dev] [Horizon] Nominations to Horizon Core
Bryan D. Payne
bdpayne at acm.org
Thu Dec 12 01:14:46 UTC 2013
Re: Removing Paul McMillan from core
I would argue that it is critical that each project have 1-2 people on core
that are security experts. The VMT is an intentionally small team. They
are moving to having specifically appointed security sub-teams on each
project (I believe this is what I heard at the last summit). These teams
would be a subset of the core devs that can handle security reviews. They
idea is that these people would then be able to +1 / -1 embargoed security
patches. So having someone like Paul on Horizon core would be very
valuable for such things.
In addition, I think that gerrit is exactly where security reviews *should*
be happening. Much better to catch things before they are merged, rather
than as bugs after-the-fact. Would we rather have a -1 on a code review
than a CVE?
My 2 cents,
-bryan (from OSSG)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev