Re: Phabricator and confidential reviews

>> Bite the bullet and at least make all CC'd people able to see all >> patches, always. It's needed. > >Yeah, that's the direction I think we should take. Good, thanks. >For now, we will implement exact syncing of the CC list + reporter as the >revision's subscriber list. This means that

Re: Phabricator and confidential reviews

On Saturday, 26 August 2017 00:40:08 UTC-4, Randell Jesup wrote: > >And don't forget reporter and assignees. Occasionally a reporter not in the > >security group will notice that a patch is insufficient which is nicer to > >find before the patch is committed than after the commit link is added to

Re: Phabricator and confidential reviews

>On Wed, Aug 9, 2017 at 11:32 AM, Mark Côté wrote: > >> I actually like Gijs's proposal, to mirror *from* Phabricator *to* BMO. >> That way, if you're looking at the bug and want to pull someone in, you CC >> them; if you're looking at the fix and want to involve someone, you

Re: Phabricator and confidential reviews

Having both reported, fixed and reviewed security bugs, I feel an uni-directional sync from Phabricator to BMO is not going to cut it. I think it will be unexpected for most users and might just lead to additional "why can I not see the patch" bug comments. I understand that it's more work, but I

Re: Phabricator and confidential reviews

On Wed, Aug 9, 2017 at 11:32 AM, Mark Côté wrote: > I actually like Gijs's proposal, to mirror *from* Phabricator *to* BMO. > That way, if you're looking at the bug and want to pull someone in, you CC > them; if you're looking at the fix and want to involve someone, you add >

Re: Phabricator and confidential reviews

For brevity and clarity I'm just replying to Dan here, but I am attempting to address other points raised so far in this thread. On Wednesday, 9 August 2017 13:07:08 UTC-4, Daniel Veditz wrote: > On Tue, Aug 8, 2017 at 5:30 PM, Mark Côté wrote: > > > I am not sure how often

Re: Phabricator and confidential reviews

On Tue, Aug 8, 2017 at 5:30 PM, Mark Côté wrote: > I am not sure how often CCed users are involved with confidential bugs' > patches > ​[​ > ​] Anecdotally I have been told that a lot of the time users are CCed > just to be informed of the problem, e.g. a manager might

Re: Phabricator and confidential reviews

On Wed, Aug 9, 2017 at 12:20 AM, Axel Hecht wrote: > I think we should strive to have as few people as possible with general > access to security bugs. ​We do. We've reduced the number of people with access, and split the "client" security group into ~10 sub groups so that

Re: Phabricator and confidential reviews

On Tue, Aug 8, 2017 at 11:38 PM, Nicolas B. Pierron < nicolas.b.pier...@mozilla.com> wrote: > However, users outside of the security group(s) can see confidential bugs >> if they are involved with them in some way. Frequently the CC field is >> used as a way to include outsiders in a bug. > > >

Re: Phabricator and confidential reviews

On 08/08/2017 08:30 PM, Mark Côté wrote: First I want to double check that this is truly useful. I am not sure how often CCed users are involved with confidential bugs' patches (I might be able to ballpark this with some Bugzilla searches, but I don't think it would be easy to get a straight

Re: Phabricator and confidential reviews

On 09/08/2017 01:30, Mark Côté wrote: If you have any thoughts on this, please reply. I'll answer any questions and summarize the feedback with a decision in a few days. Note that we can, of course, try a simple approach to start, and add in more complex functionality after an evaluation

Re: Phabricator and confidential reviews

private-attachment thing that Nicolas mentioned. Axel Am 09.08.17 um 02:30 schrieb Mark Côté: (Cross-posted to mozilla.tools) Hi, I have an update and a request for comments regarding Phabricator and confidential reviews. We've completed the functionality around limiting access to Differential

Re: Phabricator and confidential reviews

On 08/09/2017 12:30 AM, Mark Côté wrote: Hi, I have an update and a request for comments regarding Phabricator and confidential reviews. First of all, thanks for considering confidential bugs as part of this process. This was my main reason for not using moz-review. We've completed