It would be hard for a sekrit society of developers to push through any changes that aren't documented publicly; we can all see the commit stream to Git, and if there are a sudden burst of patches being committed that violate the community's agreed-upon practices for submission and review, the community can call shenanigans on the person(s) doing the commits.

In the case of any critical security fix, it would be the Release Manager's and Release Maintainers' responsibilities to justify the change set and the deviation from standard procedure; this is probably going to be as simple as "fixes this security issue" in the commit message.  Once it's committed, a more robust report can be written up somewhere and linked.

I don't think we're going to encounter these kinds of security issues often, so building a complex process to handle them seems counter-productive.  I'd rather spend the time just finding/fixing any such issues.


-Ian

On Fri, Jun 3, 2011 at 8:38 AM, Owen Leonard <oleonard@myacpl.org> wrote:
> Op vrijdag 3 juni 2011 22:03:50 schreef MJ Ray:
>> Please, no closed list for development discussions.

We're not talking about a secret cabal of self-chosen list members
(anymore). Koha now has an (informally) elected list of officers who
can be on the list: Release manager, release maintainer, QA manager.
Let's keep it as simple as that.

 -- Owen

--
Web Developer
Athens County Public Libraries
http://www.myacpl.org



--
Ian Walls
Lead Development Specialist
ByWater Solutions
ALA Booth 732
Phone # (888) 900-8944
http://bywatersolutions.com
ian.walls@bywatersolutions.com
Twitter: @sekjal