On 1 December 2011 14:09, curtis Hovey <curtis.ho...@canonical.com> wrote: > On 12/01/2011 08:39 AM, Matthew Revell wrote: >>> Right now, only people who can see the security bug can remove its >>> security status, right? What happens in a world where we have >>> disclosed (i.e. public) security bug reports? Who gets to remove the >>> security status/tag? > > Right now, anyone who is subscribed to a bug can toggle the security and > privacy states. Right now, there are about 4000 public security bugs. It > is common to make security bugs public when the fix is available. Lp's > UI does not make the current practice clear.
So, for public security bugs anyone at all can choose to subscribe and could potentially remove the security tag. >> To clarify: I think it should still be the security team, even if the >> security bug is public. > > No user has ever reported a bug suggesting a restriction of who can > change the status. It seems to me like it offers the same potential for the, usually well-meaning, meddling that we've seen elsewhere. We restrict certain bug statuses, so why not restrict who can remove a bug's security tag? -- Matthew Revell Launchpad Product Manager Canonical https://launchpad.net/~matthew.revell _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : launchpad-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
