[webkit-dev] rolling out a buggy security patch

Osztrogonác Csaba oszi at inf.u-szeged.hu
Tue Mar 12 01:36:06 PDT 2013


Rollout patch was already r+ -ed, thanks for the quick r+.

But my question is still open about how can we avoid similar
problems in the future. Why can't we let the EWS bots to
build and test security patches before commit.


Osztrogonác Csaba írta:
> https://trac.webkit.org/changeset/145482 which is a security
> fix, broke 33 JSC tests and made zillion layout test timeout
> on all platform. (It seems the author forgot to run tests at
> least on his own platform and watching the bots after landing.)
> It made bots early exit and very long test runtime. Now bots can't
> catch any new regression because of this patch. I tried to ping the
> author and reviewer on #webkit, but they are unavailable.
> Unfortunately rolling out isn't possible with sheriffbot. And I
> don't think if I have authorization for rolling out a security fix
> without review irrespectively of its goodness/buginess. Additionally
> EWS bots can't test security patches without security group access.
> And gardeners can't comment the original security bug report because
> of the same reason.
> So I filed a new bug report about this serious and blocker regression:
> https://bugs.webkit.org/show_bug.cgi?id=112112 and I propose that we
> should roll it out until the author can fix it offline. Could you
> review this rollout patch, please?
> Otherwise it would be great if EWS bots can test security patches
> before committing to avoid similar problems. I noticed that a security
> fix broke the build and/or many tests several times.

More information about the webkit-dev mailing list