Hi, Curtis. Thanks for these notes. My only reaction was to echo what Robert wrote here:
On Tue, Jun 21, 2011 at 10:27 PM, Robert Collins <robe...@robertcollins.net> wrote: > On Wed, Jun 22, 2011 at 2:43 PM, Curtis Hovey <cur...@hovey.name> wrote: >> * A bug that is private and security will have both the bug >> supervisor and security contact subscribed. > > This would break the contract desired for security bugs: that only the > security team can see them. > I agree. If bug supervisor shouldn't see security bugs, just marking it private shouldn't grant additional privileged. It seems simpler and more consistent to say "if it's a security bug, regardless of private or public, only the security contact is subscribed." But maybe that's not your intent and I'm misreading your rules? And if it is, I'm not sure I understand the reasoning for allowing security bugs to be public, if we don't want anyone but the security contact to see them. (Note that I get the rational and nuances of why we have public but security bugs today. I'm trying to understand if your new rules are meant to change this, or if the rules only relate to who gets auto-subscribed to a class of bug.) Cheers, deryck -- Deryck Hodge https://launchpad.net/~deryck http://www.devurandom.org/ _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : launchpad-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
