1 |
Hello, everyone. |
2 |
|
3 |
TL;DR: I'd like to propose that stabilizations are done via blockers of |
4 |
security bugs instead of security bugs themselves, i.e. as any other |
5 |
stabilizations. |
6 |
|
7 |
|
8 |
Right now we're often performing security-related stabilizations via |
9 |
security bugs. This has a few problems, that are: |
10 |
|
11 |
1. Stabilization-related activity causes unnecessary mail to the widely |
12 |
subscribed security alias. That is, subscribed people get notified of |
13 |
package list changes, NATTkA results, every arch doing its work. |
14 |
However, in reality the security team only cares about stabilization |
15 |
being started, stalled or finished -- and for that, getting the usual |
16 |
'dependent bug added/closed' mail should be sufficient. |
17 |
|
18 |
2. NATTkA has no good way of distinguishing irrelevant security bugs |
19 |
from security bugs where something went wrong (and NATTkA doesn't use |
20 |
persistent state by design). The most important problem is that -- |
21 |
unlike regular stablereqs -- security bugs aren't supposed to be closed |
22 |
after stabilization. It can't really distinguish a security bug 'left |
23 |
open' from a security bug with incorrect package list. |
24 |
|
25 |
3. Proxied maintainers without editbugs can't actually CC arches on |
26 |
security bugs since the bugs are assigned to security@. |
27 |
|
28 |
|
29 |
To resolve these problems going forward and establish consistent |
30 |
behavior in the future, I'd like to propose to disable 'package list' |
31 |
fields on security bugs and instead expect regular stabilization bugs to |
32 |
be used (and made block the security bugs) for stabilizations. While I |
33 |
understand that filing additional bugs might be cumbersome for some |
34 |
people, I don't think it's such a herculean effort to outweigh |
35 |
the problems solved. |
36 |
|
37 |
In the end, consistency is a good thing and we've introduced a dedicated |
38 |
stabilization category to reduce the spread of stabilization bugs all |
39 |
around the place. |
40 |
|
41 |
WDYT? |
42 |
|
43 |
-- |
44 |
Best regards, |
45 |
Michał Górny |