| 1 |
Hi Michał, |
| 2 |
|
| 3 |
On Thu, 12 Aug 2021 14:53:33 +0200 Michał Górny wrote: |
| 4 |
|
| 5 |
>Hello, everyone. |
| 6 |
> |
| 7 |
>TL;DR: I'd like to propose that stabilizations are done via blockers of |
| 8 |
>security bugs instead of security bugs themselves, i.e. as any other |
| 9 |
>stabilizations. |
| 10 |
> |
| 11 |
> |
| 12 |
>Right now we're often performing security-related stabilizations via |
| 13 |
>security bugs. This has a few problems, that are: |
| 14 |
> |
| 15 |
>1. Stabilization-related activity causes unnecessary mail to the widely |
| 16 |
>subscribed security alias. That is, subscribed people get notified of |
| 17 |
>package list changes, NATTkA results, every arch doing its work. |
| 18 |
>However, in reality the security team only cares about stabilization |
| 19 |
>being started, stalled or finished -- and for that, getting the usual |
| 20 |
>'dependent bug added/closed' mail should be sufficient. |
| 21 |
> |
| 22 |
>2. NATTkA has no good way of distinguishing irrelevant security bugs |
| 23 |
>from security bugs where something went wrong (and NATTkA doesn't use |
| 24 |
>persistent state by design). The most important problem is that -- |
| 25 |
>unlike regular stablereqs -- security bugs aren't supposed to be closed |
| 26 |
>after stabilization. It can't really distinguish a security bug 'left |
| 27 |
>open' from a security bug with incorrect package list. |
| 28 |
> |
| 29 |
>3. Proxied maintainers without editbugs can't actually CC arches on |
| 30 |
>security bugs since the bugs are assigned to security@. |
| 31 |
> |
| 32 |
> |
| 33 |
>To resolve these problems going forward and establish consistent |
| 34 |
>behavior in the future, I'd like to propose to disable 'package list' |
| 35 |
>fields on security bugs and instead expect regular stabilization bugs |
| 36 |
>to be used (and made block the security bugs) for stabilizations. |
| 37 |
>While I understand that filing additional bugs might be cumbersome for |
| 38 |
>some people, I don't think it's such a herculean effort to outweigh |
| 39 |
>the problems solved. |
| 40 |
|
| 41 |
Indeed, filing stablereq bugs is not really that big of a deal. |
| 42 |
|
| 43 |
>In the end, consistency is a good thing and we've introduced a |
| 44 |
>dedicated stabilization category to reduce the spread of stabilization |
| 45 |
>bugs all around the place. |
| 46 |
> |
| 47 |
>WDYT? |
| 48 |
> |
| 49 |
|
| 50 |
I like this proposal and fully support it. Thanks for bringing it up. |
| 51 |
|
| 52 |
Cheers |
| 53 |
-- |
| 54 |
Lars Wendler |
| 55 |
Gentoo package maintainer |
| 56 |
GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39 |
Archives