On Mon, Jan 6, 2025 at 7:38 AM Guillaume Nodet <gno...@apache.org> wrote:
>
> Le dim. 5 janv. 2025 à 15:49, Elliotte Rusty Harold
> <elh...@ibiblio.org> a écrit :
> >
> > I do think the mailing list is severely misconfigured if it's paying
> > any attention to dev branches. There's no reason it should be picking
> > these commits up. If it is, let's fix it, not contort people's
> > development process
>
> What kind of security issues are you talking about ?
> Whether the coode / commits / changes are reviewed before entering
> the repo or after does not change much afaik.
>

Changes aren't reviewed after they're committed. Maybe one day someone
happens to look at the code, but usually no one does. Allowing a skip
of review makes it too easy to sneak in malicious code that no one
will notice. Mandatory code review isn't the only part of software
supply chain security, but it is an important one.

I note that at Google this practice — mandatory code review before
commit — is an absolute requirement, and security (also bugs) is a big
part of the reason why. The same is true of most medium-to-large
projects. Maven's the outlier here, perhaps because it's history
predates git and modern security concerns.

-- 
Elliotte Rusty Harold
elh...@ibiblio.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Reply via email to