On Thu, Mar 9, 2017 at 2:53 PM, Ben Kelly <bke...@mozilla.com> wrote:
> > > On Thu, Mar 9, 2017 at 5:48 PM, Eric Rescorla <e...@rtfm.com> wrote: > >> >> >> On Thu, Mar 9, 2017 at 2:43 PM, Ben Kelly <bke...@mozilla.com> wrote: >> >>> (Just continuing the thread here.) >>> >>> Personally I prefer looking at the bug for the full context and single >>> point of truth. Also, security bugs typically can't have extensive >>> commit >>> messages and moving a lot of context to commit messages might paint a >>> target on security patches. >>> >> >> Can't you determine that by just looking to see if the bug is visible? >> > > So you are saying we should just write SECURE BUG REDACTED in these commit > messages now? Or do we have to fabricate a paragraph to match other > commits now? > I'm not saying either of these things. What I am saying is that it's trivial to determine security bugs by checking to see if you can see them in Bugzilla. Do you disagree with this? Right now our security bug process asks about the commit message and if it > "paints a target" on the patch. If you want to change our commit message > policy, please adjust that or take it into account. > > And I also agree with the other commenters here that complexity should be > described in code comments. > You are arguing with other people here, not me. -Ekr > > Ultimately as long as the code is explained via comments, the bug is > up-to-date, and our secure bug process isn't broken I don't have a strong > opinion here. > > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
