Hi! I'd like to discuss an issue about security bugs handling.
We have a security repo which I and others check into bugs from time to time. The idea is for these to be reviewed by people having access there before we merge them, and then merge after the release. This, however, is not happening at all. The patches, as far as I know, are not reviewed at all, and merging a bunch of patches last minute with no review is extremely dangerous. I am trying my best with my patches, but I'm only human, and I feel increasingly uncomfortable having so many unreviewed patches in the release. So, how we can fix it? a. We could merge some of the patches on RC stage, even though that might expose some issues. b. We could somehow improve review mechanism beyond security repo we have now - ideas? c. Get some specific people to volunteer to review patches in security repo regularly - how? Any takers? Would like to hear thoughts on this one. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
