On 08/08/2017 08:30 PM, Mark Côté wrote:
First I want to double check that this is truly useful.  I am not sure how 
often CCed users are involved with confidential bugs' patches (I might be able 
to ballpark this with some Bugzilla searches, but I don't think it would be 
easy to get a straight answer).

No, it wouldn't be. Right now we're living in a world where the discussions about patches happen in the bug, which means parts of the patch often get quoted on the bug, which may make people want to look at the patch while they're on the bug page, whereas if they were following the same conversation on Phabricator perhaps they may find it sufficient to follow code related discussions there. Or perhaps not, maybe old culture turns out to be hard to change and code related conversations still find their way back into bugs, which would make people reading the bug naturally want to look at the code from the bug. It's impossible for me to tell which way it will work.

Anecdotally I have been told that a lot of the time users are CCed just to be 
informed of the problem, e.g. a manager might want to be aware of a 
vulnerability.  Given that adding subscribers to a revision is just as easy as 
CCing a user on a bug, if it is infrequent that outsiders need to be involved 
in reviewing confidential patches, I lean towards taking the simple route of 
making this manua
My anecdotal experience is that I almost always look at the patch no matter what the security bug is about in order to try to see if the patch reveals a pattern that we can build a static analysis around in order to prevent further occurrences of the bug, so the proposal of requiring an extra step of finding someone to CC you on the review in order to see the patch will introduce a hurdle for me when I look at bugs in the components where I'm not in the security group for (aka, most components.) That being said, I don't do this every day, and it's not clear what the cost of implementing the syncing proposal is, so I'm not sure what the right trade-off should be here.

(BTW, do we have data about this from Bugzilla server logs, for example about how often patch attachments on security sensitive bugs are viewed by people who are recently CCed?)

dev-platform mailing list

Reply via email to