[openstack-dev] [Horizon] Nominations to Horizon Core

Bryan D. Payne bdpayne at acm.org
Thu Dec 12 04:08:59 UTC 2013


>
> We can involve people in security reviews without having them on the
>  core review team.  They are separate concerns.
>

Yes, but those people can't ultimately approve the patch.  So you'd need to
have a security reviewer do their review, and then someone who isn't a
security person be able to offer the +1/+2 based on the opinion of the
security reviewer.  This doesn't make any sense to me.  You're involving an
extra person needlessly, and creating extra work.



> This has been discussed quite a bit.  We can't handle security patches
> on gerrit right now while they are embargoed because we can't completely
> hide them.
>

I think that you're confusing security reviews of new code changes with
reviews of fixes to security problems.  In this part of my email, I'm
talking about the former.  These are not embargoed.  They are just the
everyday improvements to the system.  That is the best time to identify and
gate on security issues.  Without someone on core that can give a -2 when
there's a problem, this will basically never happen.  Then we'll be back to
fixing a greater number of things as bugs.

-bryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131211/32b2d2bf/attachment.html>


More information about the OpenStack-dev mailing list