On 08/23/2012 01:14 AM, Gavin Sharp wrote:
I don't think this policy should directly affect your pushes to try server. The goal of the policy is to prevent us from landing security patches on mozilla-central at inconvenient times.
I think the proposed policy is pointless without addressing the same exposure of pushes to Try.
But, it does raise a separate point that we might need to discuss further: pushing security patches (and tests) to try ...
You should *not* push tests for security sensitive bugs to Try (or anywhere else) before the bug is made public (and not even then in some cases).
Developers working on security bugs need to be wary of that, and need to know that they should take appropriate precautions (e.g. don't list the bug #, don't include comments, use an innocuous summary, etc.).
That's good advice, but quite often just the code changes leaks enough information to give a good hint at what the problem is... and a push to Try without a bug number is as telling as having a number to cross-reference with Bugzilla to confirm it's hidden. /Mats _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
