[QA] [Ops] security patches handling

[Stas Malyshev]

Hi!

> Nope, we (releng) don't/can't know the context for all of these patches.
> It's not
> our area of expertise--nor should it be. If patches shouldn't be applied
> anymore,
> the patch owner or the security team should remove it from the list or
> reach out
> to us to remove it.

For me, this sounds scary. E.g. let's say I refactor Special:Search, and
change some stuff. I have no idea security patches exist for that code,
and have no access to the security tickets. I can look at security
patches logging in to tin, but never heard anybody doing this (including
me) outside of having specific issue to deal with, and looking only at
the patch without context probably won't help much.

OTOH, the author of the patch has no idea I was refactoring
Special:Search - the patch may have been done half a year ago and the
author has long since moved on to do different things. So, when merging
it, we have: a) code from someone having no idea patch exists; b) patch
from someone having no idea code changed; and c) releng engineer having
very little idea about what's going on there. For me it is a recipe for
getting into trouble.

We should either radically shorten patch lifetimes outside master - to
the matter of few weeks at most - or develop some mechanism for raising
the awareness of at least people with +2 that these patches exist and
need to be looked at. Maybe both.

-- 
Stas Malyshev
smalyshev at wikimedia.org