| 1 |
Hello, everyone. |
| 2 |
|
| 3 |
TL;DR: I'd like to propose that stabilizations are done via blockers of |
| 4 |
security bugs instead of security bugs themselves, i.e. as any other |
| 5 |
stabilizations. |
| 6 |
|
| 7 |
|
| 8 |
Right now we're often performing security-related stabilizations via |
| 9 |
security bugs. This has a few problems, that are: |
| 10 |
|
| 11 |
1. Stabilization-related activity causes unnecessary mail to the widely |
| 12 |
subscribed security alias. That is, subscribed people get notified of |
| 13 |
package list changes, NATTkA results, every arch doing its work. |
| 14 |
However, in reality the security team only cares about stabilization |
| 15 |
being started, stalled or finished -- and for that, getting the usual |
| 16 |
'dependent bug added/closed' mail should be sufficient. |
| 17 |
|
| 18 |
2. NATTkA has no good way of distinguishing irrelevant security bugs |
| 19 |
from security bugs where something went wrong (and NATTkA doesn't use |
| 20 |
persistent state by design). The most important problem is that -- |
| 21 |
unlike regular stablereqs -- security bugs aren't supposed to be closed |
| 22 |
after stabilization. It can't really distinguish a security bug 'left |
| 23 |
open' from a security bug with incorrect package list. |
| 24 |
|
| 25 |
3. Proxied maintainers without editbugs can't actually CC arches on |
| 26 |
security bugs since the bugs are assigned to security@. |
| 27 |
|
| 28 |
|
| 29 |
To resolve these problems going forward and establish consistent |
| 30 |
behavior in the future, I'd like to propose to disable 'package list' |
| 31 |
fields on security bugs and instead expect regular stabilization bugs to |
| 32 |
be used (and made block the security bugs) for stabilizations. While I |
| 33 |
understand that filing additional bugs might be cumbersome for some |
| 34 |
people, I don't think it's such a herculean effort to outweigh |
| 35 |
the problems solved. |
| 36 |
|
| 37 |
In the end, consistency is a good thing and we've introduced a dedicated |
| 38 |
stabilization category to reduce the spread of stabilization bugs all |
| 39 |
around the place. |
| 40 |
|
| 41 |
WDYT? |
| 42 |
|
| 43 |
-- |
| 44 |
Best regards, |
| 45 |
Michał Górny |
Archives