On 1/19/20 2:37 PM, Robin H. Johnson wrote: > Please file a bug to infra with the list of old security embargoed bugs, > and we can help you get them fixed (probably by helping you review them > first). Here's a list of open security bugs, all of which should be de-embargoed and assigned to security@ instead of security-audit@: https://bugs.gentoo.org/show_bug.cgi?id=602722 https://bugs.gentoo.org/show_bug.cgi?id=603242 https://bugs.gentoo.org/show_bug.cgi?id=603258 https://bugs.gentoo.org/show_bug.cgi?id=603272 https://bugs.gentoo.org/show_bug.cgi?id=603328 https://bugs.gentoo.org/show_bug.cgi?id=603488 https://bugs.gentoo.org/show_bug.cgi?id=630752 https://bugs.gentoo.org/show_bug.cgi?id=630810 https://bugs.gentoo.org/show_bug.cgi?id=630814 https://bugs.gentoo.org/show_bug.cgi?id=630824 https://bugs.gentoo.org/show_bug.cgi?id=630830 https://bugs.gentoo.org/show_bug.cgi?id=630906 https://bugs.gentoo.org/show_bug.cgi?id=630908 https://bugs.gentoo.org/show_bug.cgi?id=630910 https://bugs.gentoo.org/show_bug.cgi?id=630912 https://bugs.gentoo.org/show_bug.cgi?id=630914 https://bugs.gentoo.org/show_bug.cgi?id=630918 https://bugs.gentoo.org/show_bug.cgi?id=630920 https://bugs.gentoo.org/show_bug.cgi?id=630972 https://bugs.gentoo.org/show_bug.cgi?id=631544 https://bugs.gentoo.org/show_bug.cgi?id=631546 https://bugs.gentoo.org/show_bug.cgi?id=631548 https://bugs.gentoo.org/show_bug.cgi?id=631552 https://bugs.gentoo.org/show_bug.cgi?id=602492 https://bugs.gentoo.org/show_bug.cgi?id=602552 https://bugs.gentoo.org/show_bug.cgi?id=602594 https://bugs.gentoo.org/show_bug.cgi?id=603518 The following should also be de-embargoed. These are RESO/FIXED bugs that I've closed myself after I got tired of waiting for a response from security-audit@: https://bugs.gentoo.org/show_bug.cgi?id=603522 https://bugs.gentoo.org/show_bug.cgi?id=630836 https://bugs.gentoo.org/show_bug.cgi?id=631538 And finally, the RESO/OBSOLETE ones: https://bugs.gentoo.org/show_bug.cgi?id=603344 https://bugs.gentoo.org/show_bug.cgi?id=630812 https://bugs.gentoo.org/show_bug.cgi?id=630902 I would also suggest discontinuing the security-audit@ sub-project and the embargo feature entirely. I can't say the experience has been great. These bugs don't show up in a search, and often the maintainers can't see them because adding a project to CC doesn't allow the project members to see the bug. No one reassigns them when metadata.xml is changed, etc. The security-audit@ email address is /dev/null as far as I can tell.
security-audit: your mail alias presently goes to k_f,zx2c4,blueknight mjo is not a member of either security@ or security-audit@, so I'm looking for confirmation that the bugs should be bulk-moved to security@ for further triage instead of security-audit@. I feel looking at the bugs, that the maintainers of those packages never saw the bugs, because they weren't properly on the CC list, and/or they explicitly search for those assigned to the alias.
(In reply to Robin Johnson from comment #1) > security-audit: > your mail alias presently goes to k_f,zx2c4,blueknight > > ... If this was going to work, we wouldn't be here in the first place =)
Processed now
Awesome, thanks!