On Wed, 12 Sep 2012 19:59:01 +0200
Pacho Ramos <[email protected]> wrote:
> Hello
>
> Currently, package maintainers are CCed to security bugs when their
> are needed. The problem is that, once maintainers add a fixed version
> and tell security team they are ok to get it stabilized, maintainers
> are kept CCed until bug is closed by security team. This usually means
> getting a lot of mail after some time when security team discuss if a
> GLSA should be filled or not, if security bot adds some comment...
> some of that comments are applied to really old bugs that need no
> action from maintainers.
So you would want to be re-CC'd when it is time to remove the vulnerable
versions, I guess.
Also, I have problems with stating "getting too much mail" as the
actual problem. Perhaps your brain or your computer can smartly filter
them out?
> Maybe would be interesting to change the policy to unCC maintainers
> again when their action is no longer required.
You can un-CC yourself. I don't see why security@ should be doing the
legwork.
jer
