Security/Bug Approval Process: Difference between revisions

Security/Bug Approval Process (view source)

9 bytes removed , 6 November 2012

no edit summary

canmove, Confirmed users

4,854

edits

@@ Line 1: / Line 1: @@
 For security bugs with no sec- severity rating assume the worst and follow the rules for sec-critical. If you have experience fixing security bugs you could also take a crack at rating it yourself following the [[Security_Severity_Ratings]]
-===sec-low, sec-moderate, sec-other or sec-want===
 Core-security bug fixes should just be landed by a developer without any
 explicit approval if:
 # The bug has a sec-low, sec-moderate, sec-other, or sec-want rating.<br>'''OR'''
-# The bug is a recent regression on mozilla-central.
+# The bug is a recent regression on mozilla-central (this means that the specific regressing check-in has been identified on mozilla-central)
   This means that the developer can mark the status flags for ESR, Beta, and Aurora as "unaffected."
   It also means that we haven't shipped anywhere public in an official release yet.
@@ Line 12: / Line 11: @@
 If it meets the above criteria, check that patch in.
-===sec-high or sec-critical (or no rating)===
 Otherwise, if the bug has a patch *and* is sec-high or sec-critical, the developer should set the sec-approval flag to '?' on the patch when it is ready to be checked into mozilla-central (or elsewhere if it is branch only).