Re: Code review/audit and/or version control

[George Capehart <capegeo () opengroup org>]

Joseph S D Yao wrote:
> If you are doing version control, you have access to previous versions
> and the commentary from when it was checked in.  Just as with in-line
> comments, the version control comments have to be MEANINGFUL, not just
> "made changes."!!!
>
> ISTM that the old versions can be used to good advantage in two ways:
>
> (1) New version introduces greater and unforeseen (of course!) security
> problem; quickly get out old version with known but lesser security
> problem, and also re-install whatever shim we had used to work around
> the security problem until the "fixed" version was installed.

OK.  You got me there.  I didn't say exactly what I was thinking.  I had
in mind two scenarios . . . one where, say, a format string bug or a
memory leak was fixed . . . and nothing else was broken in the process 
;->, and the other where there is parallel development going on and a
bug gets fixed in one branch but then overwritten when a patch/hotfix is
created.  What I'm concerned about here is a breakdown in process . . .
not a valid reason to roll back a change . . . 

> (2) Determine that the neat new way to do something has already been
> tried, and read the MEANINGFUL version control comments to determine
> why it was removed from service!

Absolutely!

> --
> Joe Yao                         jsdy () center osis gov - Joseph S. D. Yao
> OSIS Center Systems Support                                     EMT-B
> -----------------------------------------------------------------------
>    This message is not an official statement of OSIS Center policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards