Johan Cwiklinski wrote: > Toshio Kuratomi a écrit : >> When I brought this up, Bastien Nocera brought up security bugs and not >> wanting random people to be CC'd before a security bug is resolved. How >> should we deal with this? >> >> -Toshio >> >> > Hi, > > Isn't it the work of bugzilla to send security issues mails to only a > restricted group ? > As we cannot see these bugs in the bugzilla, I think it should not send > us mail also... But I do not know if bugzilla permit this or not. > AFAIK, bugzilla will send the security mail/allow people to see the security bug if they are explicitly CC'd on the bug. You are explicitly CC'd on the bug if you are given the watchbugzilla acl in pkgdb. > For the commits, I really do not know, but once commited, any packager > can get the sources, that would be a "minor" issue, the security whole > would be resolved at this time, and should come into the repositories > quickly. > <nod> I'd like this to be consistent with the watchbugzilla acls if possible but perhaps having watchcommits be autoapprove but not watchbugzilla is the way to go. > Another possibility would be to not allow automatic approval for such > packages, maybe with an option in the interface, and let the maintainer > choose if he wants to allow that for his package or not ? It's a possibility but I don't think it's a good one. Are we trying to address a maintainer's concerns with such an option or are we trying to keep security bugs private until the fix can be released? If the latter is the goal, making this settable per package is the wrong thing to do. -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
