1 |
> On 12 Aug 2021, at 16:17, Agostino Sarubbo <ago@g.o> wrote: |
2 |
> |
3 |
> On giovedì 12 agosto 2021 14:53:33 CEST Michał Górny wrote: |
4 |
>> To resolve these problems going forward and establish consistent |
5 |
>> behavior in the future, I'd like to propose to disable 'package list' |
6 |
>> fields on security bugs and instead expect regular stabilization bugs to |
7 |
>> be used (and made block the security bugs) for stabilizations. While I |
8 |
>> understand that filing additional bugs might be cumbersome for some |
9 |
>> people, I don't think it's such a herculean effort to outweigh |
10 |
>> the problems solved. |
11 |
> |
12 |
> I think it is a good idea but the stabilization bug that blocks the security |
13 |
> bug should at least have something (bugzilla KEYWORD?) to facilitate the |
14 |
> search of the security stabilization. |
15 |
> Atm we look for bugs with assignee = security@ and cc = arch@ |
16 |
> |
17 |
|
18 |
This is my primary concern and as long as we use e.g. the SECURITY |
19 |
keyword, I'm happy. From #gentoo-dev: |
20 |
|
21 |
[22:34:36] <@sam_> ago: I was wondering if I could just detect by blockers but I think SECURITY blocker is simpler and requires less code/handling overall, so WFM |
22 |
[22:35:25] <@ago> yeah |
23 |
|
24 |
I'm a _little_ bit unsure about the extra work of filing new bugs, but I suspect |
25 |
It's going to be worth it because of less special casing for everybody involved |
26 |
(and not having to explain why security bugs are different to newbies, proxied-maints, |
27 |
...). |
28 |
|
29 |
best, |
30 |
sam |