On Mar 12, 2013, at 1:48 AM, Adam Barth <aba...@webkit.org> wrote: > On Tue, Mar 12, 2013 at 1:36 AM, Osztrogonác Csaba <o...@inf.u-szeged.hu> > wrote: >> But my question is still open about how can we avoid similar >> problems in the future. Why can't we let the EWS bots to >> build and test security patches before commit. > > This topic was discussed on the webkit-security mailing list in May > 2010. Unfortunately, the archives of that list are not viewable > publicly. Maciej's concerns at the time are summaries in his message > below: > > On Tue, Oct 19, 2010 at 6:16 PM, Maciej Stachowiak <m...@apple.com> wrote: >> The commit bot is not a person and therefore can't agree to the security >> group policy, as required for security group membership. >> >> If a specific person or persons want to take responsibility for an >> additional email account and bugzilla account having security access, then >> that's not categorically excluded. But I'd like to understand who currently >> has access to the commit bot's email account and bugzilla account, what the >> policies are for more people getting access, and whether there are indirect >> ways of getting access such as by modifying the commit bot's code, or by >> uploading a patch that tries to abuse the EWS testers. And I'd like to see >> at least one person named to take responsibility for ensuring that the >> commit bot is not used as a means of violating the policy. > > Of course, it's entirely possible that his views have changed since then.
I am still curious who has access to the commit bot's bugzilla account. Is a small set of known people, is it a large set, is the password sitting around somewhere that others may get at it? I do not recall this being answered at the time, or perhaps I have forgotten. If the set with access is a small set of known people who are willing to be identified and be in the security group themselves (or already are), then I am personally fine with it. Regards, Maciej
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
