We have discussed this at numerous OMC meetings in terms of how to managed potential *perceived *conflicts of interest that might arise if people outside of the fellows come from the same company and hence can effectively turn the OMC review control mechanism into a single control rather than a dual control.
We discussed tooling changes to make checking this possible given that in each instance we have had the individuals involved make a commitment to avoid that situation (through their own actions). Occasionally that didn't happen and the person "corrected" it when pointed out. We haven't formally voted to make such a change - however it is something that I think we should have in place and I do support. Making a formal policy change of course will go through our usual decision making process. What I was expecting tooling-wise is that the scripts would detect this situation and advise - at the very least warn - and potentially blocking things. The OpenSSL fellows are in a completely different context - the company they work for is directed by the OMC - so there isn't a separate external third party source of influence so there is no reasonable mechanism to *perceive* a potential conflict of interest. Note - this is all about *perceptions* of a *potential* situation - not about something we are actually concerned about for the individuals involved. However it is prudent to address even the perception of a path for potential conflicts of interest in my view. Tim. On Fri, May 24, 2019 at 8:16 AM Paul Dale <paul.d...@oracle.com> wrote: > There hasn't been a vote about this, however both Shane and I have > committed to not approve each other's PRs. > > I also asked Richard if this could be mechanically enforced, which I > expect will happen eventually. > > > Pauli > -- > Oracle > Dr Paul Dale | Cryptographer | Network Security & Encryption > Phone +61 7 3031 7217 > Oracle Australia > > > -----Original Message----- > From: Salz, Rich [mailto:rs...@akamai.com] > Sent: Friday, 24 May 2019 1:01 AM > To: openssl-project@openssl.org > Subject: Re: No two reviewers from same company > > > I understand that OpenSSL is changing things so that, by mechanism > (and maybe by > > policy although it’s not published yet), two members of the same > company cannot > > approve the same PR. That’s great. (I never approved Akamai > requests unless it > > was trivial back when I was on the OMC.) > > No such decision has been made as far as I know although it has been > discussed > at various times. > > In private email, and > https://github.com/openssl/openssl/pull/8886#issuecomment-494624313 the > implication is that this was a policy. > > > Should this policy be extended to OpenSSL’s fellows? > > IMO, no. > > Why not? I understand build process is always handled by Matt and Richard > (despite many attempts in the past to expand this), but I think if Oracle > or Akamai can't "force a change" then it seems to me that the OMC shouldn't > either. > > >
