launchpad-dev team mailing list archive

[Deryck Hodge <deryck.hodge@xxxxxxxxxxxxx>]

Hi, Curtis.

Thanks for these notes.  My only reaction was to echo what Robert wrote here:

On Tue, Jun 21, 2011 at 10:27 PM, Robert Collins
<robertc@xxxxxxxxxxxxxxxxx> wrote:
> On Wed, Jun 22, 2011 at 2:43 PM, Curtis Hovey <curtis@xxxxxxxxxx> wrote:
>>      * A bug that is private and security will have both the bug
>>        supervisor and security contact subscribed.
>
> This would break the contract desired for security bugs: that only the
> security team can see them.
>

I agree.  If bug supervisor shouldn't see security bugs, just marking
it private shouldn't grant additional privileged.  It seems simpler
and more consistent to say "if it's a security bug, regardless of
private or public, only the security contact is subscribed."  But
maybe that's not your intent and I'm misreading your rules?  And if it
is, I'm not sure I understand the reasoning for allowing security bugs
to be public, if we don't want anyone but the security contact to see
them.

(Note that I get the rational and nuances of why we have public but
security bugs today.  I'm trying to understand if your new rules are
meant to change this, or if the rules only relate to who gets
auto-subscribed to a class of bug.)

Cheers,
deryck

-- 
Deryck Hodge
https://launchpad.net/~deryck
http://www.devurandom.org/