Audits are conducted to ensure the absence of severe or exploitable bugs. Pull Requests are generally merged into the
master branch without audit. The audited tag is used to track the latest audited commit of the master branch. This
means that audits need to happen in order of being merged.
This is an optimistic approach that lets us develop with greater speed, while requiring (possibly) large refactors in
the failure case.
Audits can be deferred if the logic is gated by an experimental feature or marked as "Not Production Ready" within the
first line of doc. Such changes should be queued manually before these warnings are removed.
There is no single one-fits-all rule. Generally we should audit important logic that could immediately be used on production networks. If in doubt, ask in chat or in the Merge Request.
- Add the PR to the project
Security Audit (PRs) - SRLabs - Set status to Backlog
- Assign priority, considering the universe of PRs currently in the backlog
- Add the component