Open Stack

Re: Removing Paul McMillan from core

I would argue that it is critical that each project have 1-2 people on core
that are security experts.  The VMT is an intentionally small team.  They
are moving to having specifically appointed security sub-teams on each
project (I believe this is what I heard at the last summit).  These teams
would be a subset of the core devs that can handle security reviews.  They
idea is that these people would then be able to +1 / -1 embargoed security
patches.  So having someone like Paul on Horizon core would be very
valuable for such things.

In addition, I think that gerrit is exactly where security reviews *should*
be happening.  Much better to catch things before they are merged, rather
than as bugs after-the-fact.  Would we rather have a -1 on a code review
than a CVE?

My 2 cents,
-bryan (from OSSG)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131211/7683df4b/attachment.html>