On Aug 23, 2012, at 10:56 AM, Gavin Sharp <[email protected]> wrote:
> On Thu, Aug 23, 2012 at 10:36 AM, Mats Palmgren <[email protected]> wrote: >> I think the proposed policy is pointless without addressing the same >> exposure of pushes to Try. > > That's a good example of the "perfect solution fallacy": > http://en.wikipedia.org/wiki/Nirvana_fallacy#Perfect_solution_fallacy > > As I mentioned in my original post, posting patches to Try has > different visibility characteristics than pushing to mozilla-central > (people push all sorts of experimental junk to try, so mining it for > security bugs is harder, particularly if people are cautious with what > they push). So fixing the problem for mozilla-central has value even > if we don't fix the problem for Try. Also the try repo gets clobbered/reset on a completely random basis so the builds are erased after 14 days, and the code is also not around for long (perhaps a few months at most?). -Lukas _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
