On Tue, Mar 12, 2013 at 1:36 AM, Osztrogonác Csaba <o...@inf.u-szeged.hu> wrote: > But my question is still open about how can we avoid similar > problems in the future. Why can't we let the EWS bots to > build and test security patches before commit.
This topic was discussed on the webkit-security mailing list in May 2010. Unfortunately, the archives of that list are not viewable publicly. Maciej's concerns at the time are summaries in his message below: On Tue, Oct 19, 2010 at 6:16 PM, Maciej Stachowiak <m...@apple.com> wrote: > The commit bot is not a person and therefore can't agree to the security > group policy, as required for security group membership. > > If a specific person or persons want to take responsibility for an additional > email account and bugzilla account having security access, then that's not > categorically excluded. But I'd like to understand who currently has access > to the commit bot's email account and bugzilla account, what the policies are > for more people getting access, and whether there are indirect ways of > getting access such as by modifying the commit bot's code, or by uploading a > patch that tries to abuse the EWS testers. And I'd like to see at least one > person named to take responsibility for ensuring that the commit bot is not > used as a means of violating the policy. Of course, it's entirely possible that his views have changed since then. Adam _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
