| 1 |
Hi All, |
| 2 |
|
| 3 |
When bumping for security updates, the requirement is that the |
| 4 |
replacement ebuild be stabilized (the GLSA be issued), and then to clean |
| 5 |
up the tree of vulnerable versions. |
| 6 |
|
| 7 |
As a proxy maintainer, the addition of a tag to queue a PR pending a |
| 8 |
specific Bug be closed first would in this scenario be potentially |
| 9 |
beneficial. |
| 10 |
|
| 11 |
Specifically, what I suggest is to flag the PR that fixes the issues |
| 12 |
(ie, ebuild bump) with the usual Bug: tag, but to then at the same time |
| 13 |
be able to pre-emptively file a PR removing the vulnerable versions, but |
| 14 |
only once the security bug has been handled (closed). |
| 15 |
|
| 16 |
Towards this end, I'd suggest a tag such as: |
| 17 |
|
| 18 |
Pending: https://bugs.gentoo.org/NNNNNN — to reference a bug; the bug |
| 19 |
needs to be closed before this PR will be considered for merging. |
| 20 |
|
| 21 |
Obviously it's also possible to file a second bug that depends on the |
| 22 |
security bug, but this doesn't block merging. QA checks doesn't make |
| 23 |
sense to run (since this remove commit will mostly likely remove all |
| 24 |
current stable versions). |
| 25 |
|
| 26 |
Ideas and thoughts around this? |
| 27 |
|
| 28 |
Kind Regards, |
| 29 |
Jaco |
Archives