Hi All, When bumping for security updates, the requirement is that the replacement ebuild be stabilized (the GLSA be issued), and then to clean up the tree of vulnerable versions.
As a proxy maintainer, the addition of a tag to queue a PR pending a specific Bug be closed first would in this scenario be potentially beneficial. Specifically, what I suggest is to flag the PR that fixes the issues (ie, ebuild bump) with the usual Bug: tag, but to then at the same time be able to pre-emptively file a PR removing the vulnerable versions, but only once the security bug has been handled (closed). Towards this end, I'd suggest a tag such as: Pending: https://bugs.gentoo.org/NNNNNN — to reference a bug; the bug needs to be closed before this PR will be considered for merging. Obviously it's also possible to file a second bug that depends on the security bug, but this doesn't block merging. QA checks doesn't make sense to run (since this remove commit will mostly likely remove all current stable versions). Ideas and thoughts around this? Kind Regards, Jaco
