On Tue, Jul 29, 2014 at 2:06 PM, Pine W wiki.pine@gmail.com wrote:
The everyday difference that this change makes may be trivial, but it makes sense to me to think of QA (and Security Engineering) as being part of RelEng.
I doubt we disagree too much, but I'll put on my security evangelist hat and get on my soapbox, since you phrased it that way.
It's not uncommon to see security placed (organizationally) as part of the release process. But while security reviews and security regression testing are important, I really hope that for MediaWiki, security isn't just a hurdle to deployment. I believe that security has to be a part of the entire development process to be effective. If the features aren't designed for security, security is always going to loose versus the need to deploy things that we've spent resources to develop. I think MediaWiki benefited a lot from having Tim be both the security evangelist and technical lead for so many years.
So I try to spend a significant portion of my time working early in the development lifecycle, training developers and working towards more secure architecture, rather than focusing on the release process to fix all the bugs before we push something out. Sometimes that happens, and other times (like this week) I spend most of my time fixing issues after they are already in production. Core has been a good place to do that work from so far.