On 08/09/2017 12:30 AM, Mark Côté wrote:
Hi, I have an update and a request for comments regarding Phabricator and confidential reviews.
First of all, thanks for considering confidential bugs as part of this process. This was my main reason for not using moz-review.
We've completed the functionality around limiting access to Differential revisions (i.e. code reviews) that are tied to confidential bugs. […]
However, users outside of the security group(s) can see confidential bugs if they are involved with them in some way. Frequently the CC field is used as a way to include outsiders in a bug.
Note that Bugzilla warns us against adding people who do not have s-s access to s-s bug. (This is an awesome feature by the way)
[…] First I want to double check that this is truly useful. […]
I did that multiple time in the past. The main reason for doing it was to CC the person who contributed the patch, such that at best they can contribute a fix as well, and in the worst case they can contribute insight for fixing the issue.
So, not only the CC-ed persons are asked to review, I might ask them to even submit patches to these security bugs. This is a way to gradually empower contributors, from my point of view.
Also, some users can open s-s bugs, and contribute patches too. We should at least accept people from the CC list / reporters to be able to submit new patches.
The second question that would come up is whether this synchronization should apply to all revisions or just confidential ones. […]
Currently Bugzilla has a "private" flag on attachments, and adding anybody without s-s flags in the CC list of the bug should not have access to the private attachments, but should have access to any non-private attachments.
A similar "private" flag could be used to prevent the synchronization of the CC list / reporter which are out-side the s-s group.
-- Nicolas B. Pierron _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
