Christopher Aillon wrote:
Gervase Markham wrote:
Reed Loden wrote:
I disagree with adding AUS to the main security group. By doing that,
you force the AUS developers to join the security group, which means
they have to deal with all the mass of mail/bugmail that comes through
for product stuff that does not affect AUS at all. Instead, I propose
that an "aus-security" group be created and that the security group
inherit that group, just as security inherits update-security currently.
OK, let's turn the question around. If we add both an aus-security and
a websites-security group to the plan, that makes six security groups.
I said in the original proposal that I didn't want to create too many
but, thinking about it, I can't see massive disadvantages to this
apart from a bit of juggling and management.
Can we get a good explanation as to how people will be flooded with
bugmail first?
Due to a b.m.o.-specific change, people in a security group get mail
whenever a bug is added to or removed from that group. Therefore, it is
in our interest to try and make the groups which exist match up as far
as possible with people's interests, so they don't get mail they are not
interested in.
At the moment, for example, I'm a member of webtools-security and so I
get mail whenever a LXR, Mozbot, etc. security bug is filed even though
I have nothing to do with those projects.
It's also about compartmentalisation. For each security bug, we want to
keep it as secure as possible. That means making sure it can be seen by
the maximum number of people who care about it and can fix it, and the
minimum number of people who don't.
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
