Author: ZmnSCPxj 2021-10-01 12:27:19
Published on: 2021-10-01T12:27:19+00:00
The email discussion revolves around the importance of review processes in ensuring security and whether or not relying on author claims in pull requests (PRs) is a good idea. The group agrees that relying on review is better for security, and using commits from unmerged PRs in production should only be done by individuals who are familiar with the codebase and have reviewed it carefully. The group discusses the value of testing vulnerabilities in review processes and proposes a plan to create pseudonyms to introduce vulnerability-adding PRs to targets to test review processes. The plan includes inserting random numbers among the commitments to add uncertainty and publicly praising review processes while privately correcting any failures. The group concludes that the same care and handling should be given to vulnerabilities in review processes as those found in machine-readable code.
Updated on: 2023-06-15T02:26:08.935428+00:00