On Mon, Sep 19, 2022 at 05:58:36PM +0200, Vít Ondruch wrote: > > Dne 16. 09. 22 v 19:03 Kevin Fenzi napsal(a): > > On Fri, Sep 16, 2022 at 10:03:35AM +0200, Vít Ondruch wrote: > > > Isn't peer review much better and easier solution over all? We could also > > > require signed commits I guess. > > I think it would slow things down quite a lot to require peer review of > > every commit. > > > This proposal was based mainly upon the conversation, where nothing what was > proposed was secure enough. Every proposal was shot down having some > possible holes. While peer review might be slow and it is certainly not > bullet proof, I don't think we can do any better.
Well, the problem is 'secure enough'. Security is not a checkbox. You can't ever say "ok, we are secure". Security is a process. What things you do are based on what possible solutions you have and what possible attacks you have and the tradeoffs you have to make to implement things. I don't personally think right now the tradeoffs are worth requiring review for every change. I fear it would result in a lot of "hey can you +1 my change" and people just clicking reviewed without reviewing. Bad actors would just need to find another person to approve their change without much review. Of course a lot of people would review and perhaps it would improve overall quality. Long ago, when number of changes was small... I used to actually read all of them and comment when I found something concerning. I've not been able to do that in many years tho... In the past 30 days there have been 41080 changes to spec files. That is a ton. > And BTW, when I talk about peer review, I think that also ex-post peer > review is valuable. E.g. if I contribute to some package, I'll look at every > commit notification and check the changes. If I see something concerning, > I'll try to address it. Better late then never. Absoluetely. kevin
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
