Bodhi2 no longer restricts changes to Security Response bugs (Regression) #368
Comments
|
Just adding that this is really important to Product Security and is a severe regression for us. |
ralphbean
added
Critical
|
Working on a fix for this now. From what I can tell from the bodhi1 code (and bodhi2), it will actually close the Security Response parent bugs if all of the bugs it |
…ing. This resolves part of issue #368
|
So with the above patch, I think bodhi2 should have the same behavior as bodhi1. Here is the logic around closing security bugs, which is the same from bodhi1. https://github.com/fedora-infra/bodhi/blob/develop/bodhi/models/models.py#L1115-L1146 |
Those bugs are not really expected to be in any other state than NEW. Hence the code was rarely used and I'd say to not add it to Bodhi2. |
|
Okay, cool. I'll remove it. |
|
Okay, this fix has been deployed to production. Hopefully it should only comment on Security Response when updates hit stable. Please re-open if this is not the case. Thanks! |
|
Previous comment suggests the fix is in production, however I just noticed the following change done when package was pushed to stable: https://bugzilla.redhat.com/show_bug.cgi?id=1256746#c3 Fixed In Version field was updated and bug CLOSED:NEXTRELEASE. |
…ing. This resolves part of issue #368
Bodhi2 lost all special handling of security bugs ("Security Response" BZ product, "vulnerability" component) that was implemented in Bodhi1. These are differences from the standard handling I can remember, hopefully not missing anything important. Bodhi1 code should serve as authoritative reference.
Basically, Bodhi is only expected to add comment when update is pushed to stable and do no other changes to the bugs.
Please handle this as regression that should be corrected ASAP.
Example of bug changes Bodhi should not be doing:
https://bugzilla.redhat.com/show_bug.cgi?id=1254547#c5
The text was updated successfully, but these errors were encountered: