ncalexan
commented
3 weeks ago The specific email title in question that I have been receiving is: "Monday Oct 14 -- Severity and Priority Flags Alert".
Open ncalexan opened 3 weeks ago
ncalexan
commented
3 weeks ago The specific email title in question that I have been receiving is: "Monday Oct 14 -- Severity and Priority Flags Alert".
marco-c
commented
2 weeks ago It makes sense to me, though I'm not sure if we can know whether the triage owner has the right permissions.
ncalexan
commented
2 weeks ago It makes sense to me, though I'm not sure if we can know whether the triage owner has the right permissions.
Clearly something can know, because the email doesn't include details that I don't have access to:
Component | Bug | Summary
-- | -- | --
Toolkit::General | 1915257 | ...
The following bug has no Severity field set for the last 4 weeks:
Component Bug Summary
Toolkit::General [1915257](https://bugzilla.mozilla.org/show_bug.cgi?id=1915257) ...
suhaibmujahid
commented
2 weeks ago Clearly something can know, because the email doesn't include details that I don't have access to:
@ncalexan This is shown for any private bug; it does not mean that the triage owner does not have the permissions.
@marco-c it could be a solution to drop the security bugs here. In a Slack thread, @mozfreddyb mentioned that there is a separate triage queue for new-and-unrated security bugs everywhere. Alternatively, we could send the emails to the security team instead of the triage owners. WDYT?
marco-c
commented
2 weeks ago I'm OK with whatever @mozfreddyb suggests :)
mozfreddyb
commented
16 hours ago Echoing here what I said elsewhere: I think it should be fine to just omit them. We have separate triage that isn't bound to email reminders looking at all new and unrated security bugs.
I recently rotated into the Firefox general triage role. I have gotten multiple emails about security bugs when I cannot "take the next action", e.g., to set the severity or close due to pending NI or whatever. The action that I can take is to ask for a CC in the #security Slack channel.
In discussion, I learned that it used to be the case that Bugbot would CC the triage owner(s) on security bugs, and that this was changed when groups migrated to a rotating general triage role. (To me, that seems sensible.) I also learned that there is an independent security triage process. (To me, that also seems sensible.)
Given these two points, I would like to either have Bugbot stop emailing triage owners about security bugs entirely, or to stop emailing triage owners that do not have at least editbugs on the particular security bugs. Prompting a triage owner to take action when they cannot is wasteful.