> On 15 Apr 2022, at 02:38, John Helmert III <a...@gentoo.org> wrote: > > Hi all! Currently all security bugs are assigned to security@g.o, > always. This can easily lead to some confusion about who needs to do > something about a given bug; right now this is generally tracked by > whiteboard magic strings that probably not many people outside of the > Security Project understand [1] and this has been a source of > confusion around security bugs for a long time. > > To make it abundantly clear who needs to take action for a given bug, > I propose we move away from the dogma of security@ always being > assigned to security bugs, and instead assign bugs to whoever needs to > take action for the bug. For example, on security bugs that need a > package bumped or cleaned up, the package maintainer would be > assigned. For bugs needing a GLSA, security@ would be assigned. > [...] > > What do you all think? >
Yes, please. It's led to no end of confusion and had many requests for this over the years. > [1] > https://www.gentoo.org/support/security/vulnerability-treatment-policy.html > "Severity Level" section Best, sam
signature.asc
Description: Message signed with OpenPGP