You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+33-12Lines changed: 33 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1211,19 +1211,30 @@ we can do two things:
1211
1211
1. List all distinct binary packages that should be promoted. Often a source package will have binary packages that aren't actually needed in main. Things like `-doc`, `-autopilot` or `-dbgsym`. These can stay in universe, and it is a kindness to list only the packages we need for the archive team member that does the promotion.
1212
1212
1. Recommend the owning team to add their corresponding team bug subscriber during the MIR process.
1213
1213
1214
-
## MIR Review - service level objective
1214
+
#Constraints and Service Level Objectives
1215
1215
1216
-
MIR reviews take time, scaling up with the complexity of the case. Sadly it is usually
1217
-
the very complex, very special cases that come in very late then are not happy with the
1218
-
velocity of review.
1216
+
Reviews take time, scaling up with the complexity of the case. Sadly it is usually
1217
+
the very complex, very special cases that tend to come in very late then be unhappy
1218
+
with the velocity of the review.
1219
+
For transparency and to manage expectations we hereby defined the service level
1220
+
objectives we defined for this process.
1221
+
1222
+
Furthermore to be clear - you can help!
1223
+
You know in advance what we will check.
1224
+
History shows that a well prepared case will pass through more quickly in each
1225
+
phase. By truly caring about tests, quality, warnings and the many other things
1226
+
we check for you can help efficiency. So please take all the statements we ask
1227
+
for serious and try to fulfill them.
1228
+
1229
+
## MIR Review SLO
1219
1230
1220
1231
While we aim for more when possible, our goal is to assign (in the weekly meeting)
1221
-
one review per active MIR member per week, and coming back with the result until
1222
-
the next meeting or earlier. That usually means we can handle ~4 cases per week,
1232
+
one review per active MIR member per week, and coming back with the result before
1233
+
the next meeting. On average that means we can handle ~4 cases per week,
1223
1234
sometimes more (if we can make the space or they are trivial) and sometimes
1224
1235
less (PTO times).
1225
1236
1226
-
So far this used to be always enough and allowed <week responses for almost
1237
+
So far this used to be always enough and allowed < 1 week responses for almost
1227
1238
all cases for several years now. Except in spikes of everyone dumping huge
1228
1239
changes last minute right before feature freeze. Try to avoid that phase
1229
1240
to help yourself getting a timely review.
@@ -1232,17 +1243,27 @@ The above of course is for the initial review, if everything is fine and no
1232
1243
security review needed that is it and you are done. But findings have to be
1233
1244
answered or fixed and if needed a security review has to be exercised. The time
1234
1245
for this depends on the complexity of the findings and remember that there have
1235
-
been cases as bad as being rejected forcing the requester to look for
1246
+
been cases as bad as being rejected, forcing the requester to look for
1236
1247
alternative solutions.
1237
1248
Please consider this in your estimations when you plan a contribution.
1238
1249
1239
-
## Security Reviews
1250
+
## Security Review SLO
1240
1251
1241
-
Security team MIRs are laborious and require lead time. Make MIR requests as early in a release cycle as possible, ideally well before Feature Freeze. For a MIR to be considered for a release, it must be assigned to the Security team (by the MIR team) before Beta Freeze. This does not guarantee that a security review can be completed by Final Release. Ask the director of Security for exceptions.
1252
+
Security team MIRs are laborious and require lead time. Make MIR requests as
1253
+
early in a release cycle as possible, ideally well before Feature Freeze. For
1254
+
a MIR to be considered for a release, it must be assigned to the Security
1255
+
team (by the MIR team) before Beta Freeze. This does not guarantee that a
1256
+
security review can be completed by Final Release. Ask the director of
1257
+
Security for exceptions.
1242
1258
1243
-
The best ways to contact the Security team about MIRs is the [MIR / Audits Jira Page](https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594) or through the Mattermost channels `~mir-security-review-priority` or `~security-engineering`.
1259
+
The best ways to contact the Security team about MIRs is the
or through the Mattermost channels `~mir-security-review-priority` or `~security-engineering`.
1244
1262
1245
-
Teams are encouraged to set the relative importance of MIRs they own on the [MIR / Audits Jira Page](https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594). Security attempts to work across and prioritize all teams equally. Jira priority drives the order we work on MIRs.
1263
+
Teams are encouraged to set the relative importance of MIRs they own on the
0 commit comments