On Tue, Aug 8, 2017 at 11:38 PM, Nicolas B. Pierron < nicolas.b.pier...@mozilla.com> wrote:
> However, users outside of the security group(s) can see confidential bugs >> if they are involved with them in some way. Frequently the CC field is >> used as a way to include outsiders in a bug. > > > Note that Bugzilla warns us against adding people who do not have s-s > access to s-s bug. (This is an awesome feature by the way) > It really shouldn't. Unless we expand the group of people who can see security bugs to thousands of people (everyone with an NDA? even that might not be enough) there will always be people who need to see a bug who weren't able to see it by default. Since we have the CC'ing mechanism we can keep the "default" group small and then freely CC people as needed. I only know of two such warnings. 1) when you needinfo? someone who can't see a bug. That's warning you that they won't ever see your request, not that you shouldn't add them to the bug. If it were the latter we'd also be warning every time you CC someone on a hidden bug. Since a named request is obviously inviting that person into the bug we should just automatically CC that person at the same time. 2) when duping a bug. Normally when you dupe a bug the reporter of the dupe is silently CC'd to the active bug. For security bugs the warning makes this a conscious choice. Most of the time I'd say "sure, go ahead": the reporter already knows about the issue, they might as well continue to be involved in the solution. There are cases, though, where that's not true so it's good to have people make a conscious choice. We might not want to CC the dupe reporter if the active bug is not an identical dupe but is instead a broader issue, or if the dupe target has a more damaging example that the dupe reporter hadn't thought of yet. Sometimes people dupe bugs to one that will fix it, but isn't the same kind of testcase. When it's a security bug I usually prefer that we mark those as "Depends on" the other bug and leave them open so we can verify the fix later. As a bonus, then the CC'ing issue doesn't come up. - Dan Veditz _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
