Open Stack

On 12/11/2013 11:08 PM, Bryan D. Payne wrote:
>     We can involve people in security reviews without having them on the
>     core review team.  They are separate concerns.
> 
> 
> Yes, but those people can't ultimately approve the patch.  So you'd need
> to have a security reviewer do their review, and then someone who isn't
> a security person be able to offer the +1/+2 based on the opinion of the
> security reviewer.  This doesn't make any sense to me.  You're involving
> an extra person needlessly, and creating extra work.

I don't want someone not regularly looking at changes going into the
code able to do the ultimate approval of any patch.  I think this is
working as designed.  Including the extra person in this case is a good
thing.

> 
>  
> 
>     This has been discussed quite a bit.  We can't handle security patches
>     on gerrit right now while they are embargoed because we can't completely
>     hide them.
> 
> 
> I think that you're confusing security reviews of new code changes with
> reviews of fixes to security problems.  In this part of my email, I'm
> talking about the former.  These are not embargoed.  They are just the
> everyday improvements to the system.  That is the best time to identify
> and gate on security issues.  Without someone on core that can give a -2
> when there's a problem, this will basically never happen.  Then we'll be
> back to fixing a greater number of things as bugs.

Anyone can offer a -1, and that will be paid attention to.  If that ever
doesn't happen, let's talk about it.

-- 
Russell Bryant