On Mon, 27 Jan 2025 at 05:38, Umar Hayat <postgresql.wiz...@gmail.com> wrote: > +1 in github you can enforce a minimum number of reviewers. IMO there > should be a minimum of two reviewers and one of the reviewers should > be from the security group/role.
In a perfect world I'd agree, but I don't think there are currently enough people involved in the project to make two reviewers a realistic option. > Though primary risk would be > introducing new vulnerable dependency but there is no bound to other > kinds of exploitation. Also github vulnerability scan should be > enabled by default. Enabled that now on my Github mirror. I don't think it'll actually do anything though. We don't pin exact python dependency versions, because on prod we only use Python dependencies available in Debian (which should resolve security issues).
