On Wed, Sep 16, 2020 at 03:25:45PM +0200, Thomas Huth wrote: > On 16/09/2020 15.06, Daniel P. Berrangé wrote: > > Using a bug tracker has the notable advantage over direct email CC's > > that if the security triage team needs to pull in a domain specific > > expert, that newly added person can still see the full history of > > discussion on the bug. > > > > With individual email CC's, the previous discussions are essentially > > a information blackhole until the security triage team is good enough > > to forward the full discussion history (this essentially never happens > > in IME). Mailing list also has that easy archive access benefit. > > > > Is it possible to setup people to be able to view launchpad private > > bugs, without also making them full admins for the QEMU launchpad > > project ? > > Honestly, I'd rather like use to move to the gitlab bug tracker instead > of extending our use of the launchpad tracker. LP is IMHO a really ugly > bug tracking tool.
I assume you mean here moving to use GitLab for *all* bug tracking, not merely security bug tracking ? I don't think it would be sane to split our process across different bug trackers. I have no love for LP, so wouldn't disagree with a move to GitLab, especially if we're intending to expand its usage for other parts of QEMU project infrastructure. If we ever use it as the canonical git repo host, then I'd say using its bug tracker too is pretty much a no-brainer. > > Does launchpad still send clear text email notifications to the > > permitted admins for private bugs ? I recall I used to get clear > > text emails for private bugs in the past for non-QEMU projects. > > IIRC, yes, the email notifications for the private bugs are still send > without encryption. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|