What Bobby says here is right. While sec-high are usually less bad than sec-crit, we would still probably chemspill for a sec-high in the wild.
Another thing that is missing is triaging security bugs. If something should be a sec-crit but it hasn't been marked as such, that's probably worse than it being an unfixed sec-crit, because it is going to get looked at less. I get emailed any day when there are any untriaged DOM or XPConnect security bugs (well, it looks like not XPConnect bugs right now, but I'll fix that). It really doesn't take a huge amount of time, once you've worked down the backlog. This is getting offtopic for this thread, but now that JS is split into a few bugzilla components, it might be manageable for one person to take each of the subcomponents in the same way. Having some SpiderMonkey hackers deal with sec triage is probably going to be more productive than the alternative, which is me MXRing for assertions and trying to figure out what they mean, then giving up and marking things sec-high. (And I would like to emphasize, this would not involve attending any more meetings.) Andrew ----- Original Message ----- > On Fri, Apr 11, 2014 at 12:52 AM, Chris Peterson > <[email protected]>wrote: > > > 1. Chemspill bugs > > 2. sec-crit bugs > > 11b. sec-high bugs > > > > This doesn't make sense. The distinction between sec-high and sec-crit is > just a technicality on the modern world, and we chemspill for both with > equivalent urgency. I've argued in the past that we should remove the > distinction entirely, so that people won't de-prioritize bugs based on > something that's not really meaningful. > > I think this should be: > > 2. sec-crit and sec-high bugs > > If not, it should be: > > 2. sec-crit bugs > 3. sec-high bugs > _______________________________________________ > dev-tech-js-engine-internals mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals > _______________________________________________ dev-tech-js-engine-internals mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
