river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Brouwer <mark.brou...@cheiron.org>
Subject Re: development process
Date Fri, 31 Aug 2007 15:36:22 GMT
Jools wrote:

> If a security issues was found in river, I'd prefer that it be discussed
> with a little privacy until the nature of the issue was fully understood,
> and the possible issues which users of river may be exposed to should they
> fail to patch their systems.
> All issues will ultimately become visible via JIRA, and should anybody
> involved in the project wish to make a constructive comment, I would suggest
> that be the place to do it.

Good point, AFAIK there has is no special field yet to mark an issue as
a security issue in which case only committers can see it and its
details. This is possible in JIRA to achieve as I've done the same thing
for Cheiron.

What is the opinion on dealing with security issues? My personal opinion
would be the include a special "Security Level" field that has 2
options: "None" and "Security risk" or to have the problem mailed to one
of the committers who can take care of entering it in JIRA. We can use
the private PMC list for discussing the matter.

> My personal preference would be as follows;
> 1) Issue gets raised on mailing list.
> 2) If the issue is genuine, then raise a JIRA id for it.
> 3) Add yourself as interested in the id, and you will be notified of
> changes.
> 4) If you feel the need to comment, it will be recorded in the right place,
> once. No need for any copying.

Ok, I was thinking earlier on you were refering to remarks related to
the actual code reviewing.

>> Committer applies patch to the code base after reviews are complete.
>>> Hope it helps.....
>> Any feelings with regard to code modifications of committers themselves,
>> i.e. RTC versus CTR. Does it make any difference in your willingness to
>> participate and becoming a committer.
> I know which I prefer, but I'm agnostic to the process. I will still
> continue to help and support where and when I can.

I was going to ask "which is" but that would only be for my own
curiosity given your later statement, so I'll refrain :-)

View raw message