Hi! > Nope, we (releng) don't/can't know the context for all of these patches. > It's not > our area of expertise--nor should it be. If patches shouldn't be applied > anymore, > the patch owner or the security team should remove it from the list or > reach out > to us to remove it.
For me, this sounds scary. E.g. let's say I refactor Special:Search, and change some stuff. I have no idea security patches exist for that code, and have no access to the security tickets. I can look at security patches logging in to tin, but never heard anybody doing this (including me) outside of having specific issue to deal with, and looking only at the patch without context probably won't help much. OTOH, the author of the patch has no idea I was refactoring Special:Search - the patch may have been done half a year ago and the author has long since moved on to do different things. So, when merging it, we have: a) code from someone having no idea patch exists; b) patch from someone having no idea code changed; and c) releng engineer having very little idea about what's going on there. For me it is a recipe for getting into trouble. We should either radically shorten patch lifetimes outside master - to the matter of few weeks at most - or develop some mechanism for raising the awareness of at least people with +2 that these patches exist and need to be looked at. Maybe both. -- Stas Malyshev [email protected] _______________________________________________ QA mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/qa
