On 13.09.2012 09:29, Pacho Ramos wrote: > […] > OK, then, looks like the policy could be that, once all arches are done, > maintainers cleanup ebuilds and unCC themselves, that way, if they are > still getting mails from bug report is because they forgot to remove > vulnerable versions and, if not, is because all their work was finished. > Are you ok with this policy?
A general note: The request makes one wonder a bit how much you actually care about your package if a few emails disturb you. Arches, Security, and users reporting issues are trying to help you get the package into a good shape. Now, I can understand the request for the sake of possibly less email, less bugs appearing in "bugs I'm in CC on" searches and such, especially when things on the security side take a bit longer. We have no problem with people removing themselves after a bit of time, after arches are done and vulnerable versions are removed, but I certainly won't encourage people to do that actively right away. The reasons for this are a) that unCC usually generates another email (hey, not just maintainers want as little email as possible) and b) sometimes things still come up that require maintainer attention (mostly users reporting issues). The Security team certainly won't unCC people as suggested before in the thread, and if there are packages where more issues happen "post-unCC", we'd have to manually reCC maintainers every time. So you'd weigh up our time with a few bytes in your inbox. What we could agree on is clarifying that maintainers have to stay on CC until stabling is done and vulnerable versions are removed, they can, if they want, remove themselves after a bit of time after that, and that Security might ask them to stay on CC next time, should the package turn out to require their attention after stabling more often. @security: ack? Alex -- Alex Legler <a...@gentoo.org> Gentoo Security/Ruby/Infrastructure
signature.asc
Description: OpenPGP digital signature
