On 08/08/2017 08:30 PM, Mark Côté wrote:
First I want to double check that this is truly useful. I am not sure how
often CCed users are involved with confidential bugs' patches (I might be able
to ballpark this with some Bugzilla searches, but I don't think it would be
easy to get a straight answer).
No, it wouldn't be. Right now we're living in a world where the
discussions about patches happen in the bug, which means parts of the
patch often get quoted on the bug, which may make people want to look at
the patch while they're on the bug page, whereas if they were following
the same conversation on Phabricator perhaps they may find it sufficient
to follow code related discussions there. Or perhaps not, maybe old
culture turns out to be hard to change and code related conversations
still find their way back into bugs, which would make people reading the
bug naturally want to look at the code from the bug. It's impossible
for me to tell which way it will work.
Anecdotally I have been told that a lot of the time users are CCed just to be
informed of the problem, e.g. a manager might want to be aware of a
vulnerability. Given that adding subscribers to a revision is just as easy as
CCing a user on a bug, if it is infrequent that outsiders need to be involved
in reviewing confidential patches, I lean towards taking the simple route of
making this manua
My anecdotal experience is that I almost always look at the patch no
matter what the security bug is about in order to try to see if the
patch reveals a pattern that we can build a static analysis around in
order to prevent further occurrences of the bug, so the proposal of
requiring an extra step of finding someone to CC you on the review in
order to see the patch will introduce a hurdle for me when I look at
bugs in the components where I'm not in the security group for (aka,
most components.) That being said, I don't do this every day, and it's
not clear what the cost of implementing the syncing proposal is, so I'm
not sure what the right trade-off should be here.
(BTW, do we have data about this from Bugzilla server logs, for example
about how often patch attachments on security sensitive bugs are viewed
by people who are recently CCed?)
Cheers,
Ehsan
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform