[ros-dev] Re: Vote: code auditing

Murphy, Ged (Bolton) MurphyG at cmpbatteries.co.uk
Fri Feb 24 09:14:19 CET 2006 

Brandon Turner wrote
> 
> " B - Sections of ReactOS which require auditing are 
> 'locked', that being 
> that the source is fully available to download and build, but no 
> development work should be undertaken until the said code has 
> passed the 
> audit. The lock will be removed only when that section of 
> code has been 
> audited."
> 
> I have asked 3-4 times but still havent got an answer as far 
> as I can tell.  Does the definition of "audit" in the pharse 
> mean the code needs to be looked through and documented and 
> bad code be marked.  Or does it mean all that and the marked 
> code needs to be rewritten for it to be considered "audited".

Here is my understanding (although I'm not saying it's correct)

First of all, we must take the authors word on whether something needs
auditing or not.
If a particular author says the code which he wrote is clean, then this
automatically bypasses the audit.
This clears up James' worry about his dll code which he has declared clean.

If an author can't be contacted, it is classes as unknown and must go
through the audit process.

Once we have a list of all code which has not been verified, a new SVN user
is generated and he is used to lock all the code (this is done with a
separate user to avoid certain features of SVN lock)

Any developer is able to remove a lock. Locking the code only really acts as
a reminder that the code has not passed an audit. This code shouldn't be
modified / improved until it has done so. The lock therefore ensures all the
code is audited and nothing is missed. It also acts as an incentive to get
the code audited.
Without the lock, I think it will be conveniently forgotten about.....

Once code has been locked how does it get out of locked status?

I think there are 3 possibilities:
- look through the code looking for anything even remotely strange. (I think
Alex's description which I have linked to the end of this mail makes some
good points). If all the code seems perfectly legitimate, it passes the
audit and the lock is removed.
- If code doesn't seem legitimate, search for documentation. If docs are
found to cater for all the questionable code, the docs are added and the
code passes audit.
- If the code doesn't seem legitimate and docs can't be found, then the code
is deemed dirty and further action must be taken (e.g. part of the code
rewritten, all the code rewritten, docs written, etc). This would have to be
discussed at greater length.


HTH

Ged.





************************************************************************
The information contained in this message or any of its
attachments is confidential and is intended for the exclusive
use of the addressee. The information may also be legally
privileged. The views expressed may not be company policy,
but the personal views of the originator. If you are not the
addressee, any disclosure, reproduction, distribution or other
dissemination or use of this communication is strictly prohibited.
If you have received this message in error, please contact
postmaster at exideuk.co.uk 
<mailto:postmaster at exideuk.co.uk> and then delete this message. 

Exide Technologies is an industrial and transportation battery
producer and recycler with operations in 89 countries.
Further information can be found at www.exide.com

More information about the Ros-dev mailing list