launchpad-dev team mailing list archive

Thread
Date

Re: Describing access policies in bug and branch UI

From: curtis Hovey <curtis.hovey@xxxxxxxxxxxxx>
Date: Thu, 01 Dec 2011 09:09:13 -0500
Cc: Launchpad Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAKiYkZKgW6RpwzdhWAc2V0LdAULKDN7z3dthmWM54wshgFn8VA@mail.gmail.com>
Organization: Canonical Ltd.
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111124 Thunderbird/8.0

On 12/01/2011 08:39 AM, Matthew Revell wrote:
>> Right now, only people who can see the security bug can remove its
>> security status, right? What happens in a world where we have
>> disclosed (i.e. public) security bug reports? Who gets to remove the
>> security status/tag?

Right now, anyone who is subscribed to a bug can toggle the security and
privacy states. Right now, there are about 4000 public security bugs. It
is common to make security bugs public when the fix is available. Lp's
UI does not make the current practice clear.

> To clarify: I think it should still be the security team, even if the
> security bug is public.

No user has ever reported a bug suggesting a restriction of who can
change the status.

-- 
Curtis Hovey
http://launchpad.net/~sinzui

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Describing access policies in bug and branch UI
From: Matthew Revell, 2011-12-07

References

Describing access policies in bug and branch UI
From: curtis Hovey, 2011-11-23
Re: Describing access policies in bug and branch UI
From: Martin Pool, 2011-11-30
Re: Describing access policies in bug and branch UI
From: Matthew Revell, 2011-12-01
Re: Describing access policies in bug and branch UI
From: Matthew Revell, 2011-12-01