[openstack-dev] [Horizon] Nominations to Horizon Core
rbryant at redhat.com
Thu Dec 12 14:09:46 UTC 2013
On 12/11/2013 11:08 PM, Bryan D. Payne wrote:
> We can involve people in security reviews without having them on the
> core review team. They are separate concerns.
> Yes, but those people can't ultimately approve the patch. So you'd need
> to have a security reviewer do their review, and then someone who isn't
> a security person be able to offer the +1/+2 based on the opinion of the
> security reviewer. This doesn't make any sense to me. You're involving
> an extra person needlessly, and creating extra work.
I don't want someone not regularly looking at changes going into the
code able to do the ultimate approval of any patch. I think this is
working as designed. Including the extra person in this case is a good
> This has been discussed quite a bit. We can't handle security patches
> on gerrit right now while they are embargoed because we can't completely
> hide them.
> I think that you're confusing security reviews of new code changes with
> reviews of fixes to security problems. In this part of my email, I'm
> talking about the former. These are not embargoed. They are just the
> everyday improvements to the system. That is the best time to identify
> and gate on security issues. Without someone on core that can give a -2
> when there's a problem, this will basically never happen. Then we'll be
> back to fixing a greater number of things as bugs.
Anyone can offer a -1, and that will be paid attention to. If that ever
doesn't happen, let's talk about it.
More information about the OpenStack-dev