L. David Baron wrote:
Agreed. You don't want too few people in one of the security groups, since that just makes it more likely that security-sensitive bugs will go unnoticed because two of the three people with access to them are on vacation and the third is behind on email.
I don't think any of the proposed groups, with the possible exception of updates-security, would have so few people in.
And if we have a problem with people not picking up security bugs in an important area of code or service, then the module owner needs to delegate responsibility, perhaps with a rota, and make sure the people concerned are members of the group and know when they are responsible. We shouldn't rely on "the mail announcing the filing of this security bug goes to 150 people - surely one of them will do something with it".
Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
