Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stop emailing triage owners about security bugs when they cannot take the next action #2505

Open
ncalexan opened this issue Oct 15, 2024 · 6 comments · May be fixed by #2536
Open

Stop emailing triage owners about security bugs when they cannot take the next action #2505

ncalexan opened this issue Oct 15, 2024 · 6 comments · May be fixed by #2536

Comments

@ncalexan
Copy link
Member

I recently rotated into the Firefox general triage role. I have gotten multiple emails about security bugs when I cannot "take the next action", e.g., to set the severity or close due to pending NI or whatever. The action that I can take is to ask for a CC in the #security Slack channel.

In discussion, I learned that it used to be the case that Bugbot would CC the triage owner(s) on security bugs, and that this was changed when groups migrated to a rotating general triage role. (To me, that seems sensible.) I also learned that there is an independent security triage process. (To me, that also seems sensible.)

Given these two points, I would like to either have Bugbot stop emailing triage owners about security bugs entirely, or to stop emailing triage owners that do not have at least editbugs on the particular security bugs. Prompting a triage owner to take action when they cannot is wasteful.
@ncalexan
Copy link
Member Author

The specific email title in question that I have been receiving is: "Monday Oct 14 -- Severity and Priority Flags Alert".

@marco-c
Copy link
Contributor

marco-c commented Oct 17, 2024

It makes sense to me, though I'm not sure if we can know whether the triage owner has the right permissions.

@ncalexan
Copy link
Member Author

It makes sense to me, though I'm not sure if we can know whether the triage owner has the right permissions.

Clearly something can know, because the email doesn't include details that I don't have access to:

Component | Bug | Summary
-- | -- | --
Toolkit::General | 1915257 | ...

The following bug has no Severity field set for the last 4 weeks:
Component 	Bug 	Summary
Toolkit::General 	[1915257](https://bugzilla.mozilla.org/show_bug.cgi?id=1915257) 	...

@suhaibmujahid
Copy link
Member

suhaibmujahid commented Oct 21, 2024
edited
Loading

Clearly something can know, because the email doesn't include details that I don't have access to:

@ncalexan This is shown for any private bug; it does not mean that the triage owner does not have the permissions.

@marco-c it could be a solution to drop the security bugs here. In a Slack thread, @mozfreddyb mentioned that there is a separate triage queue for new-and-unrated security bugs everywhere. Alternatively, we could send the emails to the security team instead of the triage owners. WDYT?

@marco-c
Copy link
Contributor

marco-c commented Oct 21, 2024

I'm OK with whatever @mozfreddyb suggests :)

@mozfreddyb
Copy link
Contributor

Echoing here what I said elsewhere: I think it should be fine to just omit them. We have separate triage that isn't bound to email reminders looking at all new and unrated security bugs.

@benjaminmah benjaminmah linked a pull request Nov 6, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[no_severity_nag] Exclude security bugs when nagging triage owner benjaminmah/bugbot
4 participants
@ncalexan @marco-c @suhaibmujahid @mozfreddyb