On 12/11/2013 11:08 PM, Bryan D. Payne wrote: > We can involve people in security reviews without having them on the > core review team. They are separate concerns. > > > Yes, but those people can't ultimately approve the patch. So you'd need > to have a security reviewer do their review, and then someone who isn't > a security person be able to offer the +1/+2 based on the opinion of the > security reviewer. This doesn't make any sense to me. You're involving > an extra person needlessly, and creating extra work.
I don't want someone not regularly looking at changes going into the code able to do the ultimate approval of any patch. I think this is working as designed. Including the extra person in this case is a good thing. > > > > This has been discussed quite a bit. We can't handle security patches > on gerrit right now while they are embargoed because we can't completely > hide them. > > > I think that you're confusing security reviews of new code changes with > reviews of fixes to security problems. In this part of my email, I'm > talking about the former. These are not embargoed. They are just the > everyday improvements to the system. That is the best time to identify > and gate on security issues. Without someone on core that can give a -2 > when there's a problem, this will basically never happen. Then we'll be > back to fixing a greater number of things as bugs. Anyone can offer a -1, and that will be paid attention to. If that ever doesn't happen, let's talk about it. -- Russell Bryant _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
