On Tue, Jul 29, 2014 at 2:06 PM, Pine W <wiki.pine(a)gmail.com> wrote:
The everyday difference that this change makes may be
trivial, but it makes
sense to me to think of QA (and Security Engineering) as being part of
RelEng.
I doubt we disagree too much, but I'll put on my security evangelist
hat and get on my soapbox, since you phrased it that way.
It's not uncommon to see security placed (organizationally) as part of
the release process. But while security reviews and security
regression testing are important, I really hope that for MediaWiki,
security isn't just a hurdle to deployment. I believe that security
has to be a part of the entire development process to be effective. If
the features aren't designed for security, security is always going to
loose versus the need to deploy things that we've spent resources to
develop. I think MediaWiki benefited a lot from having Tim be both the
security evangelist and technical lead for so many years.
So I try to spend a significant portion of my time working early in
the development lifecycle, training developers and working towards
more secure architecture, rather than focusing on the release process
to fix all the bugs before we push something out. Sometimes that
happens, and other times (like this week) I spend most of my time
fixing issues after they are already in production. Core has been a
good place to do that work from so far.