Hi! On Wed, 29 Nov 2017 00:09:28 +0100 Raphael Geissert <geiss...@debian.org> wrote: > Hi, > > On 9 October 2017 at 19:47, Markus Koschany <a...@debian.org> wrote: > [...] > > If the bug is reported against a package with a version number that > > indicates a security update like +deb7u1 or ~deb8u3, both team mailing > > lists should be added to CC after the bug reporter confirms that this > > is a regression caused by a security update. > > Perhaps reportbug could check the package's changelog to determine > whether the latest update was a security or LTS one. It could do so by > looking for the sec team's or LTS' snippet on the latest version. > > Then and only then it could also ask for confirmation, as in: "is the > bug a recent regression?", and CC the corresponding team. For > instance, there's no need to CC the security team for regressions by > LTS updates.
Adding both teams to CC was intentional because a regression might affect more than one Debian distribution at the same time and sometimes people just detect it in stable/oldstable/oldoldstable first but the same bug affects the rest as well. Of course if we communicate such regressions between both teams, we can change this behavior. I don't see any mechanism or code in reportbug that deals with parsing the changelog at the moment which means this idea is rather intrusive. If we really want to go this route then we have to make sure that those changelog strings are unambiguous like "Non-maintainer upload by the security team" or "Non-maintainer upload by the LTS team". External contributors which are not part of both teams also have to adhere to this naming scheme. I would prefer this solution. At the moment we check for the version string and I think that's sufficient for an initial check. The following actions should be triggered by the user himself by answering specific questions. What do you think about adding a second question after "Do you want to report a regression because of a security update?" Is this regression in Debian's LTS release? Yes, this bug is in the LTS release. -> only CC the LTS team No, this bug is not in the LTS release -> CC the security team What do you think about that? Please also ask the other team members for their opinion. Cheers, Markus
signature.asc
Description: OpenPGP digital signature
