launchpad-dev team mailing list archive

[Matthew Revell <matthew.revell@xxxxxxxxxxxxx>]

On 1 December 2011 14:09, curtis Hovey <curtis.hovey@xxxxxxxxxxxxx> wrote:
> On 12/01/2011 08:39 AM, Matthew Revell wrote:
>>> Right now, only people who can see the security bug can remove its
>>> security status, right? What happens in a world where we have
>>> disclosed (i.e. public) security bug reports? Who gets to remove the
>>> security status/tag?
>
> Right now, anyone who is subscribed to a bug can toggle the security and
> privacy states. Right now, there are about 4000 public security bugs. It
> is common to make security bugs public when the fix is available. Lp's
> UI does not make the current practice clear.

So, for public security bugs anyone at all can choose to subscribe and
could potentially remove the security tag.

>> To clarify: I think it should still be the security team, even if the
>> security bug is public.
>
> No user has ever reported a bug suggesting a restriction of who can
> change the status.

It seems to me like it offers the same potential for the, usually
well-meaning, meddling that we've seen elsewhere. We restrict certain
bug statuses, so why not restrict who can remove a bug's security tag?

-- 
Matthew Revell
Launchpad Product Manager
Canonical

https://launchpad.net/~matthew.revell