This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git


The following commit(s) were added to refs/heads/main by this push:
     new cdf83eca docs(vulnogram): name the advisory tab "OSS/ASF Emails" in RM 
hand-off (#570)
cdf83eca is described below

commit cdf83eca872088cfe3c8ee20029130b2b0bd9b20
Author: Shahar Epstein <[email protected]>
AuthorDate: Fri Jun 26 18:04:36 2026 +0300

    docs(vulnogram): name the advisory tab "OSS/ASF Emails" in RM hand-off 
(#570)
    
    The release-manager hand-off comment templates referred to Vulnogram's
    advisory/reviewer tab as "the #email tab". The ASF Vulnogram UI labels
    that tab "OSS/ASF Emails"; rename the visible references in both the
    manual-paste and OAuth-pushed variants (keeping the #email URL anchor)
    so the RM finds the tab the comment tells them to click.
    
    Reported by the Apache Airflow security team during a CVE sync run.
    
    Generated-by: Claude Code (Opus 4.8)
---
 .../release-manager-handoff-comment-oauth-pushed.md                   | 4 ++--
 tools/cve-tool-vulnogram/release-manager-handoff-comment.md           | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git 
a/tools/cve-tool-vulnogram/release-manager-handoff-comment-oauth-pushed.md 
b/tools/cve-tool-vulnogram/release-manager-handoff-comment-oauth-pushed.md
index bbd993c6..e455650e 100644
--- a/tools/cve-tool-vulnogram/release-manager-handoff-comment-oauth-pushed.md
+++ b/tools/cve-tool-vulnogram/release-manager-handoff-comment-oauth-pushed.md
@@ -103,7 +103,7 @@ This tracker is now yours to drive from **Steps 13 → 14 → 
15** of the securi
 
 Open the record's [`#source` tab](SOURCE_TAB_URL) in your browser. **State** 
field at the top should read `REVIEW` — that is the precondition for this 
comment firing, so it should match. If it doesn't, stop and ping @potiuk; 
otherwise:
 
-1. **Click the [`#email` tab](EMAIL_TAB_URL)** on the same page. Scroll 
through any reviewer comments left by the ASF Security Team's CVE reviewers. 
**You do not need to act on reviewer comments yourself** — they arrive by email 
on `SECURITY_LIST` with the CVE ID in the subject, and sync detects them on the 
next run, opens corresponding body-field updates on this tracker, and re-pushes 
the JSON. If the comments tab is empty, or carries a closure note (*"OK, looks 
good"* / *"approved"*),  [...]
+1. **Click the [OSS/ASF Emails tab](EMAIL_TAB_URL)** (the `#email` anchor) on 
the same page. Scroll through any reviewer comments left by the ASF Security 
Team's CVE reviewers. **You do not need to act on reviewer comments yourself** 
— they arrive by email on `SECURITY_LIST` with the CVE ID in the subject, and 
sync detects them on the next run, opens corresponding body-field updates on 
this tracker, and re-pushes the JSON. If the comments tab is empty, or carries 
a closure note (*"OK, lo [...]
 
 2. **When the reviewer thread is clear** (no open comments, or all comments 
have an *"OK, looks good"*-style closer), click the **REVIEW button on the 
Editor tab** to advance the record from `REVIEW` → `READY`. Click **Save**. 
*The record is now staged for advisory send.*
 
@@ -113,7 +113,7 @@ Open the record's [`#source` tab](SOURCE_TAB_URL) in your 
browser. **State** fie
 
 ### Step 2 of 3 — preview the advisory email, then send it
 
-With the record in `READY`, click the [`#email` tab](EMAIL_TAB_URL) on the 
same record page. This shows you, in the exact format that goes out, what the 
advisory email will look like when sent to `USERS_LIST` and `ANNOUNCE_LIST`.
+With the record in `READY`, click the [OSS/ASF Emails tab](EMAIL_TAB_URL) (the 
`#email` anchor) on the same record page. This shows you, in the exact format 
that goes out, what the advisory email will look like when sent to `USERS_LIST` 
and `ANNOUNCE_LIST`.
 
 **Check that:**
 - The subject line is `CVE_ID: <one-line description>` and the description 
matches what you'd want public.
diff --git a/tools/cve-tool-vulnogram/release-manager-handoff-comment.md 
b/tools/cve-tool-vulnogram/release-manager-handoff-comment.md
index e782b08a..52bed4a5 100644
--- a/tools/cve-tool-vulnogram/release-manager-handoff-comment.md
+++ b/tools/cve-tool-vulnogram/release-manager-handoff-comment.md
@@ -105,7 +105,7 @@ RM_HANDLE — the release with the fix has shipped, and the 
CVE record on Vulnog
 
 Open the record's [`#source` tab](SOURCE_TAB_URL) in your browser. **State** 
field at the top should read `REVIEW` — that is the precondition for this 
comment firing, so it should match. If it doesn't, stop and ping @potiuk; 
otherwise:
 
-1. **Click the [`#email` tab](EMAIL_TAB_URL)** on the same page. Scroll 
through any reviewer comments left by the ASF Security Team's CVE reviewers. 
**You do not need to act on reviewer comments yourself** — they arrive by email 
on `SECURITY_LIST` with the CVE ID in the subject, and sync detects them on the 
next run, opens corresponding body-field updates on this tracker, and re-pushes 
the JSON. If the comments tab is empty, or carries a closure note (*"OK, looks 
good"* / *"approved"*),  [...]
+1. **Click the [OSS/ASF Emails tab](EMAIL_TAB_URL)** (the `#email` anchor) on 
the same page. Scroll through any reviewer comments left by the ASF Security 
Team's CVE reviewers. **You do not need to act on reviewer comments yourself** 
— they arrive by email on `SECURITY_LIST` with the CVE ID in the subject, and 
sync detects them on the next run, opens corresponding body-field updates on 
this tracker, and re-pushes the JSON. If the comments tab is empty, or carries 
a closure note (*"OK, lo [...]
 
 2. **When the reviewer thread is clear** (no open comments, or all comments 
have an *"OK, looks good"*-style closer), click the **REVIEW button on the 
Editor tab** to advance the record from `REVIEW` → `READY`. Click **Save**. 
*The record is now staged for advisory send.*
 
@@ -115,7 +115,7 @@ Open the record's [`#source` tab](SOURCE_TAB_URL) in your 
browser. **State** fie
 
 ### Step 2 of 3 — preview the advisory email, then send it
 
-With the record in `READY`, click the [`#email` tab](EMAIL_TAB_URL) on the 
same record page. This shows you, in the exact format that goes out, what the 
advisory email will look like when sent to `USERS_LIST` and `ANNOUNCE_LIST`.
+With the record in `READY`, click the [OSS/ASF Emails tab](EMAIL_TAB_URL) (the 
`#email` anchor) on the same record page. This shows you, in the exact format 
that goes out, what the advisory email will look like when sent to `USERS_LIST` 
and `ANNOUNCE_LIST`.
 
 **Check that:**
 - The subject line is `CVE_ID: <one-line description>` and the description 
matches what you'd want public.

Reply via email to