[openstack-dev] [Horizon] Nominations to Horizon Core
rbryant at redhat.com
Thu Dec 12 01:57:21 UTC 2013
On 12/11/2013 08:14 PM, Bryan D. Payne wrote:
> Re: Removing Paul McMillan from core
> I would argue that it is critical that each project have 1-2 people on
> core that are security experts. The VMT is an intentionally small team.
> They are moving to having specifically appointed security sub-teams on
> each project (I believe this is what I heard at the last summit). These
> teams would be a subset of the core devs that can handle security
> reviews. They idea is that these people would then be able to +1 / -1
> embargoed security patches. So having someone like Paul on Horizon core
> would be very valuable for such things.
We can involve people in security reviews without having them on the
core review team. They are separate concerns.
> In addition, I think that gerrit is exactly where security reviews
> *should* be happening. Much better to catch things before they are
> merged, rather than as bugs after-the-fact. Would we rather have a -1
> on a code review than a CVE?
This has been discussed quite a bit. We can't handle security patches
on gerrit right now while they are embargoed because we can't completely
More information about the OpenStack-dev