Posted by kscheirer on February 3, 2015 at 6:34pm
This project application https://www.drupal.org/node/2267557 is a good example of a large project. I would say this is a good candidate for a single project promotion, but it would still have to go through some security checks. The volume of code is quite large though - it seems unfair to ask klausi or others to review all of that.
So the question I'm raising is, what do we want to do when there's a very large project being submitted? They are unlikely to get proper reviews. Even if they do get one, it's unlikely that they will receive enough to make it to RTBC.
Do we have a procedure for "single project promote" and the minimal review required to do that?
Comments
The admins will do the same
The admins will do the same thing the do for most projects. We will spend 15-20 minutes looking at it for a sanity check. Whether the user has a good grasp of the API will become apparent quickly. On a large module, I will do searches for the common XSS culprits and db_select() to check for node_access tags. I will sometimes install the module on simplytest.me and run my XSS tester. I will look at a few form builder/validator/submitters to see if they look OK.
We are not here to make sure modules are perfect. We are here to make sure modules aren't terrible, and are reasonably confident that secure practices are being used.
Exactly, large projects are
Exactly, large projects are not a problem, we just stop reviewing after 10 minutes if we are confident that people know what they are doing.
Of course we try to identify as many security issues and API misuses as possible during a review, but we cannot and should not give a guarantee that we find all of them.