Security/Bug Approval Process: Difference between revisions

no edit summary
mNo edit summary
No edit summary
Line 1: Line 1:
For security bugs with no sec- severity rating assume the worst and follow the rules for sec-critical. If you have experience fixing security bugs you could also take a crack at rating it yourself following the [[Security_Severity_Ratings]]
For security bugs with no sec- severity rating assume the worst and follow the rules for sec-critical. If you have experience fixing security bugs you could also take a crack at rating it yourself following the [[Security_Severity_Ratings]]


===sec-low, sec-moderate, sec-other or sec-want===
Core-security bug fixes should just be landed by a developer without any
Core-security bug fixes should just be landed by a developer without any
explicit approval if:
explicit approval if:


# The bug has a sec-low, sec-moderate, sec-other, or sec-want rating.<br>'''OR'''
# The bug has a sec-low, sec-moderate, sec-other, or sec-want rating.<br>'''OR'''
# The bug is a recent regression on mozilla-central.
# The bug is a recent regression on mozilla-central (this means that the specific regressing check-in has been identified on mozilla-central)
  This means that the developer can mark the status flags for ESR, Beta, and Aurora as "unaffected."  
  This means that the developer can mark the status flags for ESR, Beta, and Aurora as "unaffected."  
  It also means that we haven't shipped anywhere public in an official release yet.
  It also means that we haven't shipped anywhere public in an official release yet.
Line 12: Line 11:
If it meets the above criteria, check that patch in.
If it meets the above criteria, check that patch in.


===sec-high or sec-critical (or no rating)===
Otherwise, if the bug has a patch *and* is sec-high or sec-critical, the developer should set the sec-approval flag to '?' on the patch when it is ready to be checked into mozilla-central (or elsewhere if it is branch only).
Otherwise, if the bug has a patch *and* is sec-high or sec-critical, the developer should set the sec-approval flag to '?' on the patch when it is ready to be checked into mozilla-central (or elsewhere if it is branch only).


canmove, Confirmed users
4,854

edits