<div dir="ltr"><div dir="ltr">We have discussed this at numerous OMC meetings in terms of how to managed potential <b>perceived </b>conflicts of interest that might arise if people outside of the fellows come from the same company and hence can effectively turn the OMC review control mechanism into a single control rather than a dual control.<div><br></div><div>We discussed tooling changes to make checking this possible given that in each instance we have had the individuals involved make a commitment to avoid that situation (through their own actions).</div><div>Occasionally that didn't happen and the person "corrected" it when pointed out.</div><div><br></div><div>We haven't formally voted to make such a change - however it is something that I think we should have in place and I do support.</div><div>Making a formal policy change of course will go through our usual decision making process.</div><div><br></div><div>What I was expecting tooling-wise is that the scripts would detect this situation and advise - at the very least warn - and potentially blocking things.</div><div><br></div><div>The OpenSSL fellows are in a completely different context - the company they work for is directed by the OMC - so there isn't a separate external third party source of influence so there is no reasonable mechanism to <b>perceive</b> a potential conflict of interest.</div><div><br></div><div>Note - this is all about <b>perceptions</b> of a <b>potential</b> situation - not about something we are actually concerned about for the individuals involved.</div><div>However it is prudent to address even the perception of a path for potential conflicts of interest in my view.</div><div><br></div><div>Tim.</div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 24, 2019 at 8:16 AM Paul Dale <<a href="mailto:paul.dale@oracle.com">paul.dale@oracle.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">There hasn't been a vote about this, however both Shane and I have committed to not approve each other's PRs.<br>
<br>
I also asked Richard if this could be mechanically enforced, which I expect will happen eventually.<br>
<br>
<br>
Pauli<br>
-- <br>
Oracle<br>
Dr Paul Dale | Cryptographer | Network Security & Encryption <br>
Phone +61 7 3031 7217<br>
Oracle Australia<br>
<br>
<br>
-----Original Message-----<br>
From: Salz, Rich [mailto:<a href="mailto:rsalz@akamai.com" target="_blank">rsalz@akamai.com</a>] <br>
Sent: Friday, 24 May 2019 1:01 AM<br>
To: <a href="mailto:openssl-project@openssl.org" target="_blank">openssl-project@openssl.org</a><br>
Subject: Re: No two reviewers from same company<br>
<br>
> I understand that OpenSSL is changing things so that, by mechanism (and maybe by<br>
> policy although it’s not published yet), two members of the same company cannot<br>
> approve the same PR. That’s great. (I never approved Akamai requests unless it<br>
> was trivial back when I was on the OMC.)<br>
<br>
No such decision has been made as far as I know although it has been discussed<br>
at various times.<br>
<br>
In private email, and <a href="https://github.com/openssl/openssl/pull/8886#issuecomment-494624313" rel="noreferrer" target="_blank">https://github.com/openssl/openssl/pull/8886#issuecomment-494624313</a> the implication is that this was a policy.<br>
<br>
> Should this policy be extended to OpenSSL’s fellows?<br>
<br>
IMO, no.<br>
<br>
Why not? I understand build process is always handled by Matt and Richard (despite many attempts in the past to expand this), but I think if Oracle or Akamai can't "force a change" then it seems to me that the OMC shouldn't either.<br>
<br>
<br>
</blockquote></div></div>