← Back to team overview

launchpad-dev team mailing list archive

Re: Describing access policies in bug and branch UI


On 1 December 2011 14:09, curtis Hovey <curtis.hovey@xxxxxxxxxxxxx> wrote:
> On 12/01/2011 08:39 AM, Matthew Revell wrote:
>>> Right now, only people who can see the security bug can remove its
>>> security status, right? What happens in a world where we have
>>> disclosed (i.e. public) security bug reports? Who gets to remove the
>>> security status/tag?
> Right now, anyone who is subscribed to a bug can toggle the security and
> privacy states. Right now, there are about 4000 public security bugs. It
> is common to make security bugs public when the fix is available. Lp's
> UI does not make the current practice clear.

So, for public security bugs anyone at all can choose to subscribe and
could potentially remove the security tag.

>> To clarify: I think it should still be the security team, even if the
>> security bug is public.
> No user has ever reported a bug suggesting a restriction of who can
> change the status.

It seems to me like it offers the same potential for the, usually
well-meaning, meddling that we've seen elsewhere. We restrict certain
bug statuses, so why not restrict who can remove a bug's security tag?

Matthew Revell
Launchpad Product Manager


Follow ups