Re: Inactive packagers to be removed after the F37 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Sep 19, 2022 at 05:58:36PM +0200, Vít Ondruch wrote:
> 
> Dne 16. 09. 22 v 19:03 Kevin Fenzi napsal(a):
> > On Fri, Sep 16, 2022 at 10:03:35AM +0200, Vít Ondruch wrote:
> > > Isn't peer review much better and easier solution over all? We could also
> > > require signed commits I guess.
> > I think it would slow things down quite a lot to require peer review of
> > every commit.
> 
> 
> This proposal was based mainly upon the conversation, where nothing what was
> proposed was secure enough. Every proposal was shot down having some
> possible holes. While peer review might be slow and it is certainly not
> bullet proof, I don't think we can do any better.

Well, the problem is 'secure enough'. Security is not a checkbox. 
You can't ever say "ok, we are secure". Security is a process. What
things you do are based on what possible solutions you have and what
possible attacks you have and the tradeoffs you have to make to
implement things. 

I don't personally think right now the tradeoffs are worth requiring
review for every change. I fear it would result in a lot of "hey can you
+1 my change" and people just clicking reviewed without reviewing. Bad
actors would just need to find another person to approve their change
without much review. Of course a lot of people would review and perhaps
it would improve overall quality.

Long ago, when number of changes was small... I used to actually read
all of them and comment when I found something concerning. I've not been
able to do that in many years tho... In the past 30 days there have been
41080 changes to spec files. That is a ton.

> And BTW, when I talk about peer review, I think that also ex-post peer
> review is valuable. E.g. if I contribute to some package, I'll look at every
> commit notification and check the changes. If I see something concerning,
> I'll try to address it. Better late then never.

Absoluetely.

kevin

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux