El mié, 12-09-2012 a las 20:29 +0200, Jeroen Roovers escribió: > On Wed, 12 Sep 2012 19:59:01 +0200 > Pacho Ramos <pa...@gentoo.org> wrote: > > > Hello > > > > Currently, package maintainers are CCed to security bugs when their > > are needed. The problem is that, once maintainers add a fixed version > > and tell security team they are ok to get it stabilized, maintainers > > are kept CCed until bug is closed by security team. This usually means > > getting a lot of mail after some time when security team discuss if a > > GLSA should be filled or not, if security bot adds some comment... > > some of that comments are applied to really old bugs that need no > > action from maintainers. > > So you would want to be re-CC'd when it is time to remove the vulnerable > versions, I guess.
Personally, I have never been asked by them to remove old vulnerable versions (and this refers to bugs I get from gnome and dotnet herds) > > Also, I have problems with stating "getting too much mail" as the > actual problem. The problem is that one and, also, getting a comment months after the fixed version was stabilized with a comment like "GLSA vote = no" or similar. That comment is only useful to security team. > Perhaps your brain or your computer can smartly filter > them out? Perhaps things can be enhanced to not send useless mails that will need to get removed just after they are get, this is pretty annoying when I fetch a ton of mails after being out during August. > > > Maybe would be interesting to change the policy to unCC maintainers > > again when their action is no longer required. > > You can un-CC yourself. I don't see why security@ should be doing the > legwork. > > It shouldn't be so hard to do, they can do it just when they CC arches, instead of relaying some random team member to do it himself once a useless message is received > jer > >
signature.asc
Description: This is a digitally signed message part