On Mon, Jan 6, 2025 at 7:38 AM Guillaume Nodet <gno...@apache.org> wrote: > > Le dim. 5 janv. 2025 à 15:49, Elliotte Rusty Harold > <elh...@ibiblio.org> a écrit : > > > > I do think the mailing list is severely misconfigured if it's paying > > any attention to dev branches. There's no reason it should be picking > > these commits up. If it is, let's fix it, not contort people's > > development process > > What kind of security issues are you talking about ? > Whether the coode / commits / changes are reviewed before entering > the repo or after does not change much afaik. >
Changes aren't reviewed after they're committed. Maybe one day someone happens to look at the code, but usually no one does. Allowing a skip of review makes it too easy to sneak in malicious code that no one will notice. Mandatory code review isn't the only part of software supply chain security, but it is an important one. I note that at Google this practice — mandatory code review before commit — is an absolute requirement, and security (also bugs) is a big part of the reason why. The same is true of most medium-to-large projects. Maven's the outlier here, perhaps because it's history predates git and modern security concerns. -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
