[openstack-dev] [Horizon] Nominations to Horizon Core
nkinder at redhat.com
Thu Dec 12 04:32:44 UTC 2013
On 12/11/2013 08:08 PM, Bryan D. Payne wrote:
> We can involve people in security reviews without having them on the
> core review team. They are separate concerns.
> Yes, but those people can't ultimately approve the patch. So you'd need
> to have a security reviewer do their review, and then someone who isn't
> a security person be able to offer the +1/+2 based on the opinion of the
> security reviewer. This doesn't make any sense to me. You're involving
> an extra person needlessly, and creating extra work.
> This has been discussed quite a bit. We can't handle security patches
> on gerrit right now while they are embargoed because we can't completely
> hide them.
> I think that you're confusing security reviews of new code changes with
> reviews of fixes to security problems. In this part of my email, I'm
> talking about the former. These are not embargoed. They are just the
> everyday improvements to the system. That is the best time to identify
> and gate on security issues. Without someone on core that can give a -2
> when there's a problem, this will basically never happen. Then we'll be
> back to fixing a greater number of things as bugs.
+1. I'd really like to see at least one security representative per
project on core who makes sure that incoming code an blueprints are
following security best practices. These best practices still need to
be clearly defined, but it's going to be impossible to uphold them once
they are established unless someone with review power is involved. We
want security to be more proactive instead of reactive.
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
More information about the OpenStack-dev