(Cross-posted to mozilla.tools)

Hi, I have an update and a request for comments regarding Phabricator and 
confidential reviews.

We've completed the functionality around limiting access to Differential 
revisions (i.e. code reviews) that are tied to confidential bugs.  To recap the 
original plan, various security groups in BMO are mirrored to Phabricator as 
"projects", containing the same set of users.  When a bug has such a security 
group added to it, e.g. dom-core-security, thus restricting its visibility 
largely to members of that group, a Phabricator "policy" is similarly set on 
any associated revisions, restricting their visibility to the same group of 
people (plus the author of the revision, if they are not in the project 

However, users outside of the security group(s) can see confidential bugs if 
they are involved with them in some way.  Frequently the CC field is used as a 
way to include outsiders in a bug.

Phabricator has a similar feature, called "subscribers", which, as with CCs, 
both grants visibility to confidential revisions and also sends email updates 
when the revision changes.  It was suggested that we attempt to synchronize CC 
and subscriber lists.

First I want to double check that this is truly useful.  I am not sure how 
often CCed users are involved with confidential bugs' patches (I might be able 
to ballpark this with some Bugzilla searches, but I don't think it would be 
easy to get a straight answer).  Anecdotally I have been told that a lot of the 
time users are CCed just to be informed of the problem, e.g. a manager might 
want to be aware of a vulnerability.  Given that adding subscribers to a 
revision is just as easy as CCing a user on a bug, if it is infrequent that 
outsiders need to be involved in reviewing confidential patches, I lean towards 
taking the simple route of making this manual.

However if this is more common than I suspect, then we must decide how to 
synchronize the lists.  The most straightforward approach is one-way 
synchronization from BMO, that is, anyone CCed on the bug will automatically be 
added as a subscriber to any associated revisions, but anyone manually added to 
the subscribers list who is not CCed on the bug would be automatically removed 
by the BMO-Phabricator synchronization routine.  The alternative is to keep 
track of who was manually added and who was automatically synchronized, which 
gets complicated rather quickly, both in terms of implementation and usability.

The second question that would come up is whether this synchronization should 
apply to all revisions or just confidential ones.  Given the dual nature of 
CCs/subscribers, for both visibility and notifications, I lean towards only 
doing this synchronization for confidential revisions, where it is more 
important.  A further justification for limiting the mirroring is that 
Phabricator has a much more powerful and fine-grained notification system 
(Herald) than BMO's product- and component-watching feature.  Automatic 
mirroring everywhere would reduce the utility of the former.

If you have any thoughts on this, please reply.  I'll answer any questions and 
summarize the feedback with a decision in a few days.  Note that we can, of 
course, try a simple approach to start, and add in more complex functionality 
after an evaluation period.

To sum up, there are three questions:

1. Is mirroring a confidential bug's CC list to association Differential 
revisions' subscriber lists actually useful?  That is, does the utility justify 
the cost of implementation and maintenance?

2. If yes, is one-way mirroring, from BMO to Differential, sufficient?

3. Again if #1 is yes, should such mirroring be limited to confidential bugs, 
given that Phabricator's notification system is more fine-grained, and thus 
more useful, than BMO's product- and component-watching feature?

dev-platform mailing list

Reply via email to