On 09/08/2017 01:30, Mark Côté wrote:
If you have any thoughts on this, please reply. I'll answer any questions and
summarize the feedback with a decision in a few days. Note that we can, of
course, try a simple approach to start, and add in more complex functionality
after an evaluation period.
To sum up, there are three questions:
1. Is mirroring a confidential bug's CC list to association Differential
revisions' subscriber lists actually useful? That is, does the utility justify
the cost of implementation and maintenance?
Probably not as you're describing here, but read on.
2. If yes, is one-way mirroring, from BMO to Differential, sufficient?
I hit the case of "I need info / a review from person X on this security
bug that they can't currently see", and the associated modal warning
that :nbp mentioned, so often that I filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1211377 (please read esp.
the bottom of comment #0).
So yes, people get CCd on sec bugs if/when required for
reviews/needinfo, and because we keep security groups relatively small
(for the reasons Axel stated), that means I end up using CCs heavily in
order to get work done on those bugs.
I think generally, what I would really want, rather than mirroring the
entire CC list, is making it painless to tell
bugzilla/mozreview/differential/whatever "here's a patch for
confidential bug X, request review from Y", and have whatever tool is
doing that not make me jump through 42 hoops to allow Y to see/do the
review. A warning would be acceptable and maybe useful, but I want to be
able to say "yes, I know X is a sec bug, and I know Y can't currently
see it, please do whatever is necessary to make Y see it anyway".
Oddly, that might mean that I actually want mirroring from differential
to BMO, but NOT the other way. That is, if I post a patch for a bug and
ask someone for review, they should be able to see the bug. :-)
I can always add people to the differential thing manually if there are
non-reviewers and non-sec-group-members who really need to see the
patch, right? (Seems much less likely!)
3. Again if #1 is yes, should such mirroring be limited to confidential bugs,
given that Phabricator's notification system is more fine-grained, and thus
more useful, than BMO's product- and component-watching feature?
dev-platform mailing list