Comment 6 for bug 61909
Revision history for this message
| Matt Zimmerman (mdz) wrote Re: [Bug 61909] Re: Security subscription should be implicit | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
On Mon, Jan 08, 2007 at 06:08:02PM -0000, Kees Cook wrote:
> I would agree that the multi-step process of unchecking "security" and
> then having to unsubscribe the security team is a hassle.
>
> Brad's comments weren't clear to me, so I guess to have an opinion about
> this, I'd need to get the following clarified:
>
> - who can flag/unflag a bug as being a security issue? (I would be
> uncomfortable if it were "just anyone" and things were changed so that
> the security team would become unsubscribed when the flag was unchecked.
> e.g. perhaps their definition and my definition of a "security issue"
> are different, and suddenly I'd silently stop getting any updates on the
> bug)
I think anyone can do this, but an email notification is sent, so this
should never be silent.
> - who can read a bug report when it is flagged as private? (I have
> always assumed it is the subscribers. As the CVE tracking is moved into
> Malone there WILL be use-cases where we need a bug report to be visible
> ONLY to the security team and people explicitly subscribed to the bug.
> i.e. just because you have your bugmail settings setup to subscribe you
> to a package doesn't mean you should be able to see embargoed security
> bugs)
I believe only explicit subscribers (including the assignee?) and Launchpad
administrators have access to private bugs. Kiko can confirm.
--
- mdz