+1
On Thu, Dec 12, 2013 at 9:14 AM, Bryan D. Payne <[email protected]> wrote: > Re: Removing Paul McMillan from core > > I would argue that it is critical that each project have 1-2 people on > core that are security experts. The VMT is an intentionally small team. > They are moving to having specifically appointed security sub-teams on > each project (I believe this is what I heard at the last summit). These > teams would be a subset of the core devs that can handle security reviews. > They idea is that these people would then be able to +1 / -1 embargoed > security patches. So having someone like Paul on Horizon core would be > very valuable for such things. > > In addition, I think that gerrit is exactly where security reviews > *should* be happening. Much better to catch things before they are merged, > rather than as bugs after-the-fact. Would we rather have a -1 on a code > review than a CVE? > > My 2 cents, > -bryan (from OSSG) > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Best Regards, NiuZG
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
