On Thu, Mar 9, 2017 at 5:48 PM, Eric Rescorla <e...@rtfm.com> wrote: > > > On Thu, Mar 9, 2017 at 2:43 PM, Ben Kelly <bke...@mozilla.com> wrote: > >> (Just continuing the thread here.) >> >> Personally I prefer looking at the bug for the full context and single >> point of truth. Also, security bugs typically can't have extensive commit >> messages and moving a lot of context to commit messages might paint a >> target on security patches. >> > > Can't you determine that by just looking to see if the bug is visible? >
So you are saying we should just write SECURE BUG REDACTED in these commit messages now? Or do we have to fabricate a paragraph to match other commits now? Right now our security bug process asks about the commit message and if it "paints a target" on the patch. If you want to change our commit message policy, please adjust that or take it into account. And I also agree with the other commenters here that complexity should be described in code comments. Ultimately as long as the code is explained via comments, the bug is up-to-date, and our secure bug process isn't broken I don't have a strong opinion here. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
