1 |
Hi All, |
2 |
|
3 |
When bumping for security updates, the requirement is that the |
4 |
replacement ebuild be stabilized (the GLSA be issued), and then to clean |
5 |
up the tree of vulnerable versions. |
6 |
|
7 |
As a proxy maintainer, the addition of a tag to queue a PR pending a |
8 |
specific Bug be closed first would in this scenario be potentially |
9 |
beneficial. |
10 |
|
11 |
Specifically, what I suggest is to flag the PR that fixes the issues |
12 |
(ie, ebuild bump) with the usual Bug: tag, but to then at the same time |
13 |
be able to pre-emptively file a PR removing the vulnerable versions, but |
14 |
only once the security bug has been handled (closed). |
15 |
|
16 |
Towards this end, I'd suggest a tag such as: |
17 |
|
18 |
Pending: https://bugs.gentoo.org/NNNNNN — to reference a bug; the bug |
19 |
needs to be closed before this PR will be considered for merging. |
20 |
|
21 |
Obviously it's also possible to file a second bug that depends on the |
22 |
security bug, but this doesn't block merging. QA checks doesn't make |
23 |
sense to run (since this remove commit will mostly likely remove all |
24 |
current stable versions). |
25 |
|
26 |
Ideas and thoughts around this? |
27 |
|
28 |
Kind Regards, |
29 |
Jaco |