1 |
Hi Michał, |
2 |
|
3 |
On Thu, 12 Aug 2021 14:53:33 +0200 Michał Górny wrote: |
4 |
|
5 |
>Hello, everyone. |
6 |
> |
7 |
>TL;DR: I'd like to propose that stabilizations are done via blockers of |
8 |
>security bugs instead of security bugs themselves, i.e. as any other |
9 |
>stabilizations. |
10 |
> |
11 |
> |
12 |
>Right now we're often performing security-related stabilizations via |
13 |
>security bugs. This has a few problems, that are: |
14 |
> |
15 |
>1. Stabilization-related activity causes unnecessary mail to the widely |
16 |
>subscribed security alias. That is, subscribed people get notified of |
17 |
>package list changes, NATTkA results, every arch doing its work. |
18 |
>However, in reality the security team only cares about stabilization |
19 |
>being started, stalled or finished -- and for that, getting the usual |
20 |
>'dependent bug added/closed' mail should be sufficient. |
21 |
> |
22 |
>2. NATTkA has no good way of distinguishing irrelevant security bugs |
23 |
>from security bugs where something went wrong (and NATTkA doesn't use |
24 |
>persistent state by design). The most important problem is that -- |
25 |
>unlike regular stablereqs -- security bugs aren't supposed to be closed |
26 |
>after stabilization. It can't really distinguish a security bug 'left |
27 |
>open' from a security bug with incorrect package list. |
28 |
> |
29 |
>3. Proxied maintainers without editbugs can't actually CC arches on |
30 |
>security bugs since the bugs are assigned to security@. |
31 |
> |
32 |
> |
33 |
>To resolve these problems going forward and establish consistent |
34 |
>behavior in the future, I'd like to propose to disable 'package list' |
35 |
>fields on security bugs and instead expect regular stabilization bugs |
36 |
>to be used (and made block the security bugs) for stabilizations. |
37 |
>While I understand that filing additional bugs might be cumbersome for |
38 |
>some people, I don't think it's such a herculean effort to outweigh |
39 |
>the problems solved. |
40 |
|
41 |
Indeed, filing stablereq bugs is not really that big of a deal. |
42 |
|
43 |
>In the end, consistency is a good thing and we've introduced a |
44 |
>dedicated stabilization category to reduce the spread of stabilization |
45 |
>bugs all around the place. |
46 |
> |
47 |
>WDYT? |
48 |
> |
49 |
|
50 |
I like this proposal and fully support it. Thanks for bringing it up. |
51 |
|
52 |
Cheers |
53 |
-- |
54 |
Lars Wendler |
55 |
Gentoo package maintainer |
56 |
GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39 |