On Tue, Aug 8, 2017 at 11:38 PM, Nicolas B. Pierron <
> However, users outside of the security group(s) can see confidential bugs
>> if they are involved with them in some way. Frequently the CC field is
>> used as a way to include outsiders in a bug.
> Note that Bugzilla warns us against adding people who do not have s-s
> access to s-s bug. (This is an awesome feature by the way)
It really shouldn't. Unless we expand the group of people who can see
security bugs to thousands of people (everyone with an NDA? even that might
not be enough) there will always be people who need to see a bug who
weren't able to see it by default. Since we have the CC'ing mechanism we
can keep the "default" group small and then freely CC people as needed.
I only know of two such warnings.
1) when you needinfo? someone who can't see a bug. That's warning you that
they won't ever see your request, not that you shouldn't add them to the
bug. If it were the latter we'd also be warning every time you CC someone
on a hidden bug. Since a named request is obviously inviting that person
into the bug we should just automatically CC that person at the same time.
2) when duping a bug. Normally when you dupe a bug the reporter of the dupe
is silently CC'd to the active bug. For security bugs the warning makes
this a conscious choice. Most of the time I'd say "sure, go ahead": the
reporter already knows about the issue, they might as well continue to be
involved in the solution. There are cases, though, where that's not true so
it's good to have people make a conscious choice. We might not want to CC
the dupe reporter if the active bug is not an identical dupe but is instead
a broader issue, or if the dupe target has a more damaging example that the
dupe reporter hadn't thought of yet.
Sometimes people dupe bugs to one that will fix it, but isn't the same kind
of testcase. When it's a security bug I usually prefer that we mark those
as "Depends on" the other bug and leave them open so we can verify the fix
later. As a bonus, then the CC'ing issue doesn't come up.
dev-platform mailing list