On 12-08-23 12:31 PM, Al Billings wrote:
Also, there is a chance that a patch will bitrot if it waits for
approval for a few weeks. Are we planning to include enough time for
people to potentially fix up their patches against the recent changes,
get try server results, etc.?
This is a human driven process. So, if someone says, "Oh, you gave me
approval but my patch is out of date now, can I take a week to update
it?", I don't think any rational person involved (like me) is going to
say that you cannot do so.
This isn't a stick with which to hit people. The overall goal is simply
to avoid accidental exposure of security issues before their time, so we
can shepherd when things go in a bit better. I think it will wind up
being relatively flexible and straightforward for folks.
Oh, it seems like I failed to articulate properly here. I was asking
about whether the security team is going to include a buffer before a
given release code freeze or uplift when approving patches. The
scenario that I am worrying about is the security team approving the
patch 3 days before a code freeze and the developer being on vacation at
that time.
Hope that's clearer. :-)
Cheers,
Ehsan
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
