On 08/23/2012 07:56 PM, Gavin Sharp wrote:
As I mentioned in my original post, posting patches to Try has different visibility characteristics than pushing to mozilla-central (people push all sorts of experimental junk to try, so mining it for security bugs is harder, particularly if people are cautious with what they push).
I don't think this obscurity results in any security whatsoever. Looking at our current use of Try, I believe I could automate sifting through pushes for security fixes to a point where manually analyzing the result would be no burden at all.
there are cases where it may be the right tradeoff to push such tests to try (e.g. if it helps you debug the problem).
For this rare case, surely you must have access to all platforms internally for testing without having to expose the test on Try? /Mats _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
