On 09/08/2017 01:30, Mark Côté wrote:
If you have any thoughts on this, please reply.  I'll answer any questions and 
summarize the feedback with a decision in a few days.  Note that we can, of 
course, try a simple approach to start, and add in more complex functionality 
after an evaluation period.

To sum up, there are three questions:

1. Is mirroring a confidential bug's CC list to association Differential 
revisions' subscriber lists actually useful?  That is, does the utility justify 
the cost of implementation and maintenance?

Probably not as you're describing here, but read on.

2. If yes, is one-way mirroring, from BMO to Differential, sufficient?

I hit the case of "I need info / a review from person X on this security bug that they can't currently see", and the associated modal warning that :nbp mentioned, so often that I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1211377 (please read esp. the bottom of comment #0).

So yes, people get CCd on sec bugs if/when required for reviews/needinfo, and because we keep security groups relatively small (for the reasons Axel stated), that means I end up using CCs heavily in order to get work done on those bugs.

I think generally, what I would really want, rather than mirroring the entire CC list, is making it painless to tell bugzilla/mozreview/differential/whatever "here's a patch for confidential bug X, request review from Y", and have whatever tool is doing that not make me jump through 42 hoops to allow Y to see/do the review. A warning would be acceptable and maybe useful, but I want to be able to say "yes, I know X is a sec bug, and I know Y can't currently see it, please do whatever is necessary to make Y see it anyway".

Oddly, that might mean that I actually want mirroring from differential to BMO, but NOT the other way. That is, if I post a patch for a bug and ask someone for review, they should be able to see the bug. :-) I can always add people to the differential thing manually if there are non-reviewers and non-sec-group-members who really need to see the patch, right? (Seems much less likely!)

3. Again if #1 is yes, should such mirroring be limited to confidential bugs, 
given that Phabricator's notification system is more fine-grained, and thus 
more useful, than BMO's product- and component-watching feature?


~ Gijs
dev-platform mailing list

Reply via email to