On Thu, Aug 23, 2012 at 10:36 AM, Mats Palmgren <[email protected]> wrote: > I think the proposed policy is pointless without addressing the same > exposure of pushes to Try.
That's a good example of the "perfect solution fallacy": http://en.wikipedia.org/wiki/Nirvana_fallacy#Perfect_solution_fallacy As I mentioned in my original post, posting patches to Try has different visibility characteristics than pushing to mozilla-central (people push all sorts of experimental junk to try, so mining it for security bugs is harder, particularly if people are cautious with what they push). So fixing the problem for mozilla-central has value even if we don't fix the problem for Try. > You should *not* push tests for security sensitive bugs to Try (or > anywhere else) before the bug is made public (and not even then in > some cases). Generally I think this is sound advice, but there are cases where it may be the right tradeoff to push such tests to try (e.g. if it helps you debug the problem). > and a push to Try without a bug number is as telling as having > a number to cross-reference with Bugzilla to confirm it's hidden. No, I don't think it's "as telling", in general (people push lots of non-security patches to try without bug numbers). Omitting security bug numbers is a thing we can do to make mining public repositories for security issues harder, so we should do it, even if it's not going to be a perfect solution. Gavin _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
