MOSS/Secure Open Source/Process: Difference between revisions

MOSS/Secure Open Source/Process (view source)

Revision as of 12:31, 27 September 2016

89 bytes added , 27 September 2016

Add note about commits

Gerv

Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti

4,925

edits

@@ Line 19: / Line 19: @@
 Funding is available, at standard consulting rates, for the remediation process. However, this requires signing a contract with Mozilla, which may delay the process. In the past, some maintainers have opted to go this route, and some (perhaps those with only simple fixes to implement, or for whom the maintenance is not a normal source of income) have not. Any maintainer is allowed to make either choice.
-The output of this stage is a Fix Log, which details the commits which fixed the issue (if a commit is necessary), along with any comments from the maintainers. Maintainers do have the option to not take any action regarding a particular audit finding, if (for example) their view is that the code is working as designed, or if fixing the issue would consume resources wildly out of proportion to the problem solved. However, the entire audit report will be published at the end of the process, even if the maintainers choose not to address an issue.
+The output of this stage is a Fix Log, which details the commits which fixed the issue (if a commit is necessary), along with any comments from the maintainers. This means it makes things much clearer if maintainers fix at most one issue per commit. Maintainers do have the option to not take any action regarding a particular audit finding, if (for example) their view is that the code is working as designed, or if fixing the issue would consume resources wildly out of proportion to the problem solved. However, the entire audit report will be published at the end of the process, even if the maintainers choose not to address an issue.
 ==Validation==