May I propose that we insert a temporary "short-circuit" into the
auto-update mechanism to allow for manual inspection prior to live push?
Let all but the DNS update happen then post the URL somewhere public so
many eyes can download and examine diffs.
Keep it this way for a short while until we've regained confidence that
auto-promotion wont cause unexpected surprises. Thereafter make it
fully automatic again, but make it easy to flip a boolean to switch back
to manual inspection should we need it again later.
Thoughts?
Warren Togami
[email protected]
