Re: Bits from the Security Team
On Fri, 14 Mar 2008, Moritz Muehlenhoff wrote:
> This doesn't intend to duplicate information from the BTS. The RT
> queues even contain direct links to the BTS. RT is used to
> distribute work among the members of the security team and to keep
> pending issues more organized.
You could actually do all of that pretty easily using usertags or
similar, but it's your process. The main reason that I wanted to
clarify this is because the instructions sound like RT should be used
in lieu of the BTS, which isn't such a great idea.
The secondary reason is that it's very useful to see in a single
location the exact status of non-embargoed security bugs; using RT
means that someone who is interested has to find the RT bug which
corresponds to the package they're interested in and then check the
corresponding BTS bug (though I suppose this could be mitigated by
adding a reverse link to the RT bug from the bts using the forwarded
field or similar.)
> RT mostly replaces sending to mail to firstname.lastname@example.org if a
> maintainer wants to assist in preparing a security update. Mail doesn't
> scale very well, so we've had occasional smaller issues being lost in
> the noise.
I agree that some method of tracking what the stable security team is
working on is a good idea; e-mail definetly doesn't scale.
This can't be happening to me. I've got tenure.
-- James Hynes _Publish and Perish_