From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 82204138010 for ; Wed, 12 Sep 2012 18:55:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 451A421C00E; Wed, 12 Sep 2012 18:54:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id CC2F8E06F9 for ; Wed, 12 Sep 2012 18:53:25 +0000 (UTC) Received: from [192.168.1.33] (198.red-80-29-44.adsl.static.ccgg.telefonica.net [80.29.44.198]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pacho) by smtp.gentoo.org (Postfix) with ESMTPSA id 94C1333CE37 for ; Wed, 12 Sep 2012 18:53:24 +0000 (UTC) Subject: Re: [gentoo-dev] About changing security policy to unCC maintainers when their are not needed From: Pacho Ramos To: gentoo-dev@lists.gentoo.org In-Reply-To: <20120912202932.1fc1adbb@marga.jer-c2.orkz.net> References: <1347472741.2365.5.camel@belkin4> <20120912202932.1fc1adbb@marga.jer-c2.orkz.net> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-FkLC+qVK/qJyQU2EqljJ" Date: Wed, 12 Sep 2012 20:53:20 +0200 Message-ID: <1347476000.2365.14.camel@belkin4> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 X-Archives-Salt: e7e828cb-de25-479b-a4b7-b4b8f8018592 X-Archives-Hash: 98c348da3b4cf35c6ec8172433df84f1 --=-FkLC+qVK/qJyQU2EqljJ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable El mi=C3=A9, 12-09-2012 a las 20:29 +0200, Jeroen Roovers escribi=C3=B3: > On Wed, 12 Sep 2012 19:59:01 +0200 > Pacho Ramos wrote: >=20 > > Hello > >=20 > > Currently, package maintainers are CCed to security bugs when their > > are needed. The problem is that, once maintainers add a fixed version > > and tell security team they are ok to get it stabilized, maintainers > > are kept CCed until bug is closed by security team. This usually means > > getting a lot of mail after some time when security team discuss if a > > GLSA should be filled or not, if security bot adds some comment... > > some of that comments are applied to really old bugs that need no > > action from maintainers.=20 >=20 > So you would want to be re-CC'd when it is time to remove the vulnerable > versions, I guess. Personally, I have never been asked by them to remove old vulnerable versions (and this refers to bugs I get from gnome and dotnet herds) >=20 > Also, I have problems with stating "getting too much mail" as the > actual problem.=20 The problem is that one and, also, getting a comment months after the fixed version was stabilized with a comment like "GLSA vote =3D no" or similar. That comment is only useful to security team. > Perhaps your brain or your computer can smartly filter > them out? Perhaps things can be enhanced to not send useless mails that will need to get removed just after they are get, this is pretty annoying when I fetch a ton of mails after being out during August. >=20 > > Maybe would be interesting to change the policy to unCC maintainers > > again when their action is no longer required. >=20 > You can un-CC yourself. I don't see why security@ should be doing the > legwork. >=20 >=20 It shouldn't be so hard to do, they can do it just when they CC arches, instead of relaying some random team member to do it himself once a useless message is received > jer >=20 >=20 --=-FkLC+qVK/qJyQU2EqljJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEABECAAYFAlBQ2iAACgkQCaWpQKGI+9TfqACeO1XgjIN3eCgYb0p331PZhIV1 Dd4AnRMMT8il3HelyASjik4zITSQRua4 =icov -----END PGP SIGNATURE----- --=-FkLC+qVK/qJyQU2EqljJ--