Re: Phabricator and confidential reviews

Wed, 09 Aug 2017 07:40:34 -0700 

On 08/08/2017 08:30 PM, Mark Côté wrote:

First I want to double check that this is truly useful.  I am not sure how 
often CCed users are involved with confidential bugs' patches (I might be able 
to ballpark this with some Bugzilla searches, but I don't think it would be 
easy to get a straight answer).



No, it wouldn't be.  Right now we're living in a world where the 
discussions about patches happen in the bug, which means parts of the 
patch often get quoted on the bug, which may make people want to look at 
the patch while they're on the bug page, whereas if they were following 
the same conversation on Phabricator perhaps they may find it sufficient 
to follow code related discussions there.  Or perhaps not, maybe old 
culture turns out to be hard to change and code related conversations 
still find their way back into bugs, which would make people reading the 
bug naturally want to look at the code from the bug.  It's impossible 
for me to tell which way it will work.



Anecdotally I have been told that a lot of the time users are CCed just to be 
informed of the problem, e.g. a manager might want to be aware of a 
vulnerability.  Given that adding subscribers to a revision is just as easy as 
CCing a user on a bug, if it is infrequent that outsiders need to be involved 
in reviewing confidential patches, I lean towards taking the simple route of 
making this manua

My anecdotal experience is that I almost always look at the patch no 
matter what the security bug is about in order to try to see if the 
patch reveals a pattern that we can build a static analysis around in 
order to prevent further occurrences of the bug, so the proposal of 
requiring an extra step of finding someone to CC you on the review in 
order to see the patch will introduce a hurdle for me when I look at 
bugs in the components where I'm not in the security group for (aka, 
most components.)  That being said, I don't do this every day, and it's 
not clear what the cost of implementing the syncing proposal is, so I'm 
not sure what the right trade-off should be here.



(BTW, do we have data about this from Bugzilla server logs, for example 
about how often patch attachments on security sensitive bugs are viewed 
by people who are recently CCed?)


Cheers,
Ehsan
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform






















					Reply via email to