On 08/09/2017 12:30 AM, Mark Côté wrote:
Hi, I have an update and a request for comments regarding Phabricator and
First of all, thanks for considering confidential bugs as part of this
process. This was my main reason for not using moz-review.
We've completed the functionality around limiting access to Differential
revisions (i.e. code reviews) that are tied to confidential bugs. […]
However, users outside of the security group(s) can see confidential bugs if
they are involved with them in some way. Frequently the CC field is used as a
way to include outsiders in a bug.
Note that Bugzilla warns us against adding people who do not have s-s access
to s-s bug. (This is an awesome feature by the way)
First I want to double check that this is truly useful. […]
I did that multiple time in the past. The main reason for doing it was to
CC the person who contributed the patch, such that at best they can
contribute a fix as well, and in the worst case they can contribute insight
for fixing the issue.
So, not only the CC-ed persons are asked to review, I might ask them to even
submit patches to these security bugs. This is a way to gradually empower
contributors, from my point of view.
Also, some users can open s-s bugs, and contribute patches too. We should at
least accept people from the CC list / reporters to be able to submit new
The second question that would come up is whether this synchronization should
apply to all revisions or just confidential ones. […]
Currently Bugzilla has a "private" flag on attachments, and adding anybody
without s-s flags in the CC list of the bug should not have access to the
private attachments, but should have access to any non-private attachments.
A similar "private" flag could be used to prevent the synchronization of the
CC list / reporter which are out-side the s-s group.
Nicolas B. Pierron
dev-platform mailing list