On 12-08-23 2:13 PM, Lukas Blakk wrote:
On Aug 23, 2012, at 10:56 AM, Gavin Sharp <[email protected]> wrote:
On Thu, Aug 23, 2012 at 10:36 AM, Mats Palmgren <[email protected]> wrote:
I think the proposed policy is pointless without addressing the same
exposure of pushes to Try.
That's a good example of the "perfect solution fallacy":
http://en.wikipedia.org/wiki/Nirvana_fallacy#Perfect_solution_fallacy
As I mentioned in my original post, posting patches to Try has
different visibility characteristics than pushing to mozilla-central
(people push all sorts of experimental junk to try, so mining it for
security bugs is harder, particularly if people are cautious with what
they push). So fixing the problem for mozilla-central has value even
if we don't fix the problem for Try.
Also the try repo gets clobbered/reset on a completely random basis so the
builds are erased after 14 days, and the code is also not around for long
(perhaps a few months at most?).
Setting up a non-clobbering clone of try doesn't take more than 10
minutes, so this is not really relevant, but on the other points I
completely agree with Gavin.
Cheers,
Ehsan
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
