Open Stack

On 12/11/2013 08:14 PM, Bryan D. Payne wrote:
> Re: Removing Paul McMillan from core
> 
> I would argue that it is critical that each project have 1-2 people on
> core that are security experts.  The VMT is an intentionally small team.
>  They are moving to having specifically appointed security sub-teams on
> each project (I believe this is what I heard at the last summit).  These
> teams would be a subset of the core devs that can handle security
> reviews.  They idea is that these people would then be able to +1 / -1
> embargoed security patches.  So having someone like Paul on Horizon core
> would be very valuable for such things.

We can involve people in security reviews without having them on the
core review team.  They are separate concerns.

> In addition, I think that gerrit is exactly where security reviews
> *should* be happening.  Much better to catch things before they are
> merged, rather than as bugs after-the-fact.  Would we rather have a -1
> on a code review than a CVE?

This has been discussed quite a bit.  We can't handle security patches
on gerrit right now while they are embargoed because we can't completely
hide them.

-- 
Russell Bryant