On 12/11/2013 08:14 PM, Bryan D. Payne wrote: > Re: Removing Paul McMillan from core > > I would argue that it is critical that each project have 1-2 people on > core that are security experts. The VMT is an intentionally small team. > They are moving to having specifically appointed security sub-teams on > each project (I believe this is what I heard at the last summit). These > teams would be a subset of the core devs that can handle security > reviews. They idea is that these people would then be able to +1 / -1 > embargoed security patches. So having someone like Paul on Horizon core > would be very valuable for such things.
We can involve people in security reviews without having them on the core review team. They are separate concerns. > In addition, I think that gerrit is exactly where security reviews > *should* be happening. Much better to catch things before they are > merged, rather than as bugs after-the-fact. Would we rather have a -1 > on a code review than a CVE? This has been discussed quite a bit. We can't handle security patches on gerrit right now while they are embargoed because we can't completely hide them. -- Russell Bryant _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
