This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new cdf83eca docs(vulnogram): name the advisory tab "OSS/ASF Emails" in RM
hand-off (#570)
cdf83eca is described below
commit cdf83eca872088cfe3c8ee20029130b2b0bd9b20
Author: Shahar Epstein <[email protected]>
AuthorDate: Fri Jun 26 18:04:36 2026 +0300
docs(vulnogram): name the advisory tab "OSS/ASF Emails" in RM hand-off
(#570)
The release-manager hand-off comment templates referred to Vulnogram's
advisory/reviewer tab as "the #email tab". The ASF Vulnogram UI labels
that tab "OSS/ASF Emails"; rename the visible references in both the
manual-paste and OAuth-pushed variants (keeping the #email URL anchor)
so the RM finds the tab the comment tells them to click.
Reported by the Apache Airflow security team during a CVE sync run.
Generated-by: Claude Code (Opus 4.8)
---
.../release-manager-handoff-comment-oauth-pushed.md | 4 ++--
tools/cve-tool-vulnogram/release-manager-handoff-comment.md | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git
a/tools/cve-tool-vulnogram/release-manager-handoff-comment-oauth-pushed.md
b/tools/cve-tool-vulnogram/release-manager-handoff-comment-oauth-pushed.md
index bbd993c6..e455650e 100644
--- a/tools/cve-tool-vulnogram/release-manager-handoff-comment-oauth-pushed.md
+++ b/tools/cve-tool-vulnogram/release-manager-handoff-comment-oauth-pushed.md
@@ -103,7 +103,7 @@ This tracker is now yours to drive from **Steps 13 → 14 →
15** of the securi
Open the record's [`#source` tab](SOURCE_TAB_URL) in your browser. **State**
field at the top should read `REVIEW` — that is the precondition for this
comment firing, so it should match. If it doesn't, stop and ping @potiuk;
otherwise:
-1. **Click the [`#email` tab](EMAIL_TAB_URL)** on the same page. Scroll
through any reviewer comments left by the ASF Security Team's CVE reviewers.
**You do not need to act on reviewer comments yourself** — they arrive by email
on `SECURITY_LIST` with the CVE ID in the subject, and sync detects them on the
next run, opens corresponding body-field updates on this tracker, and re-pushes
the JSON. If the comments tab is empty, or carries a closure note (*"OK, looks
good"* / *"approved"*), [...]
+1. **Click the [OSS/ASF Emails tab](EMAIL_TAB_URL)** (the `#email` anchor) on
the same page. Scroll through any reviewer comments left by the ASF Security
Team's CVE reviewers. **You do not need to act on reviewer comments yourself**
— they arrive by email on `SECURITY_LIST` with the CVE ID in the subject, and
sync detects them on the next run, opens corresponding body-field updates on
this tracker, and re-pushes the JSON. If the comments tab is empty, or carries
a closure note (*"OK, lo [...]
2. **When the reviewer thread is clear** (no open comments, or all comments
have an *"OK, looks good"*-style closer), click the **REVIEW button on the
Editor tab** to advance the record from `REVIEW` → `READY`. Click **Save**.
*The record is now staged for advisory send.*
@@ -113,7 +113,7 @@ Open the record's [`#source` tab](SOURCE_TAB_URL) in your
browser. **State** fie
### Step 2 of 3 — preview the advisory email, then send it
-With the record in `READY`, click the [`#email` tab](EMAIL_TAB_URL) on the
same record page. This shows you, in the exact format that goes out, what the
advisory email will look like when sent to `USERS_LIST` and `ANNOUNCE_LIST`.
+With the record in `READY`, click the [OSS/ASF Emails tab](EMAIL_TAB_URL) (the
`#email` anchor) on the same record page. This shows you, in the exact format
that goes out, what the advisory email will look like when sent to `USERS_LIST`
and `ANNOUNCE_LIST`.
**Check that:**
- The subject line is `CVE_ID: <one-line description>` and the description
matches what you'd want public.
diff --git a/tools/cve-tool-vulnogram/release-manager-handoff-comment.md
b/tools/cve-tool-vulnogram/release-manager-handoff-comment.md
index e782b08a..52bed4a5 100644
--- a/tools/cve-tool-vulnogram/release-manager-handoff-comment.md
+++ b/tools/cve-tool-vulnogram/release-manager-handoff-comment.md
@@ -105,7 +105,7 @@ RM_HANDLE — the release with the fix has shipped, and the
CVE record on Vulnog
Open the record's [`#source` tab](SOURCE_TAB_URL) in your browser. **State**
field at the top should read `REVIEW` — that is the precondition for this
comment firing, so it should match. If it doesn't, stop and ping @potiuk;
otherwise:
-1. **Click the [`#email` tab](EMAIL_TAB_URL)** on the same page. Scroll
through any reviewer comments left by the ASF Security Team's CVE reviewers.
**You do not need to act on reviewer comments yourself** — they arrive by email
on `SECURITY_LIST` with the CVE ID in the subject, and sync detects them on the
next run, opens corresponding body-field updates on this tracker, and re-pushes
the JSON. If the comments tab is empty, or carries a closure note (*"OK, looks
good"* / *"approved"*), [...]
+1. **Click the [OSS/ASF Emails tab](EMAIL_TAB_URL)** (the `#email` anchor) on
the same page. Scroll through any reviewer comments left by the ASF Security
Team's CVE reviewers. **You do not need to act on reviewer comments yourself**
— they arrive by email on `SECURITY_LIST` with the CVE ID in the subject, and
sync detects them on the next run, opens corresponding body-field updates on
this tracker, and re-pushes the JSON. If the comments tab is empty, or carries
a closure note (*"OK, lo [...]
2. **When the reviewer thread is clear** (no open comments, or all comments
have an *"OK, looks good"*-style closer), click the **REVIEW button on the
Editor tab** to advance the record from `REVIEW` → `READY`. Click **Save**.
*The record is now staged for advisory send.*
@@ -115,7 +115,7 @@ Open the record's [`#source` tab](SOURCE_TAB_URL) in your
browser. **State** fie
### Step 2 of 3 — preview the advisory email, then send it
-With the record in `READY`, click the [`#email` tab](EMAIL_TAB_URL) on the
same record page. This shows you, in the exact format that goes out, what the
advisory email will look like when sent to `USERS_LIST` and `ANNOUNCE_LIST`.
+With the record in `READY`, click the [OSS/ASF Emails tab](EMAIL_TAB_URL) (the
`#email` anchor) on the same record page. This shows you, in the exact format
that goes out, what the advisory email will look like when sent to `USERS_LIST`
and `ANNOUNCE_LIST`.
**Check that:**
- The subject line is `CVE_ID: <one-line description>` and the description
matches what you'd want public.