AW: [openssl] OpenSSL_1_1_1-stable update

[Matt Caswell]

On 24/05/2019 15:30, Richard Levitte wrote:
> On Fri, 24 May 2019 16:20:59 +0200,
> Matt Caswell wrote:
>> On 24/05/2019 15:10, Richard Levitte wrote:
>>> If we go with the idea that an approval also involves approving what
>>> branches it goes to, then what happens if someone realises after some
>>> time that a set of commits (a PR) that was applied to master only
>>> should really also be applied to 1.1.1?  Should the approval process
>>> start over from scratch, i.e. all approvals that went to master should
>>> be scratched and replaced with a new set of approvals (in principle)?
>>
>> No. If the PR was approved for master and applied to master then no problem - it
>> stays in master. If it is later realised that it needs to be backported to other
>> branches then, yes, new approvals need to be sought for that change to *those
>> branches*.
>>
>> As far as I was aware we've always done this.
> 
> Not in practice.  We *do* ask on the PR in question if it should be
> cherry-picked to 1.1.1 and seek approval for that action, but then it
> hasn't at all been clear what should happen regarding Received-By
> tags.
> 
> I have personally never touched them when cherry-picking, even in this
> scenario.  I do not know what others do in that case...>

In the vast majority of the cases the reviewers are the same. In the rare
circumstances where they are different I have always changed them. I thought
everyone did. IMO that is the correct action. By putting your name as a reviewer
against a PR you are effectively saying "I have reviewed this and agree that it
is appropriate for this to be merged". I wouldn't want other people putting my
name in a reviewed-by tag where I have not approved it and I have not considered
the implications of that change in that branch. What if it resulted in a
critical CVE?

Matt