Re: Phabricator and confidential reviews

2017-09-02 Thread Randell Jesup
>> Bite the bullet and at least make all CC'd people able to see all >> patches, always. It's needed. > >Yeah, that's the direction I think we should take. Good, thanks. >For now, we will implement exact syncing of the CC list + reporter as the >revision's subscriber list. This means that

Re: Phabricator and confidential reviews

2017-08-28 Thread Mark Côté
On Saturday, 26 August 2017 00:40:08 UTC-4, Randell Jesup wrote: > >And don't forget reporter and assignees. Occasionally a reporter not in the > >security group will notice that a patch is insufficient which is nicer to > >find before the patch is committed than after the commit link is added to

Re: Phabricator and confidential reviews

2017-08-25 Thread Randell Jesup
>On Wed, Aug 9, 2017 at 11:32 AM, Mark Côté wrote: > >> I actually like Gijs's proposal, to mirror *from* Phabricator *to* BMO. >> That way, if you're looking at the bug and want to pull someone in, you CC >> them; if you're looking at the fix and want to involve someone, you

Re: Phabricator and confidential reviews

2017-08-10 Thread Frederik Braun
Having both reported, fixed and reviewed security bugs, I feel an uni-directional sync from Phabricator to BMO is not going to cut it. I think it will be unexpected for most users and might just lead to additional "why can I not see the patch" bug comments. I understand that it's more work, but I

Re: Phabricator and confidential reviews

2017-08-09 Thread Daniel Veditz
On Wed, Aug 9, 2017 at 11:32 AM, Mark Côté wrote: > I actually like Gijs's proposal, to mirror *from* Phabricator *to* BMO. > That way, if you're looking at the bug and want to pull someone in, you CC > them; if you're looking at the fix and want to involve someone, you add >

Re: Phabricator and confidential reviews

2017-08-09 Thread Mark Côté
For brevity and clarity I'm just replying to Dan here, but I am attempting to address other points raised so far in this thread. On Wednesday, 9 August 2017 13:07:08 UTC-4, Daniel Veditz wrote: > On Tue, Aug 8, 2017 at 5:30 PM, Mark Côté wrote: > > > I am not sure how often

Re: Phabricator and confidential reviews

2017-08-09 Thread Daniel Veditz
On Tue, Aug 8, 2017 at 5:30 PM, Mark Côté wrote: > I am not sure how often CCed users are involved with confidential bugs' > patches > ​[​ > ​] Anecdotally I have been told that a lot of the time users are CCed > just to be informed of the problem, e.g. a manager might

Re: Phabricator and confidential reviews

2017-08-09 Thread Daniel Veditz
On Wed, Aug 9, 2017 at 12:20 AM, Axel Hecht wrote: > I think we should strive to have as few people as possible with general > access to security bugs. ​We do. We've reduced the number of people with access, and split the "client" security group into ~10 sub groups so that

Re: Phabricator and confidential reviews

2017-08-09 Thread Daniel Veditz
On Tue, Aug 8, 2017 at 11:38 PM, Nicolas B. Pierron < nicolas.b.pier...@mozilla.com> wrote: > However, users outside of the security group(s) can see confidential bugs >> if they are involved with them in some way. Frequently the CC field is >> used as a way to include outsiders in a bug. > > >

Re: Phabricator and confidential reviews

2017-08-09 Thread Ehsan Akhgari
On 08/08/2017 08:30 PM, Mark Côté wrote: First I want to double check that this is truly useful. I am not sure how often CCed users are involved with confidential bugs' patches (I might be able to ballpark this with some Bugzilla searches, but I don't think it would be easy to get a straight

Re: Phabricator and confidential reviews

2017-08-09 Thread Gijs Kruitbosch
On 09/08/2017 01:30, Mark Côté wrote: If you have any thoughts on this, please reply. I'll answer any questions and summarize the feedback with a decision in a few days. Note that we can, of course, try a simple approach to start, and add in more complex functionality after an evaluation

Re: Phabricator and confidential reviews

2017-08-09 Thread Axel Hecht
private-attachment thing that Nicolas mentioned. Axel Am 09.08.17 um 02:30 schrieb Mark Côté: (Cross-posted to mozilla.tools) Hi, I have an update and a request for comments regarding Phabricator and confidential reviews. We've completed the functionality around limiting access to Differential

Re: Phabricator and confidential reviews

2017-08-09 Thread Nicolas B. Pierron
On 08/09/2017 12:30 AM, Mark Côté wrote: Hi, I have an update and a request for comments regarding Phabricator and confidential reviews. First of all, thanks for considering confidential bugs as part of this process. This was my main reason for not using moz-review. We've completed

Phabricator and confidential reviews

2017-08-08 Thread Mark Côté
(Cross-posted to mozilla.tools) Hi, I have an update and a request for comments regarding Phabricator and confidential reviews. We've completed the functionality around limiting access to Differential revisions (i.e. code reviews) that are tied to confidential bugs. To recap the original